hxxps://nam02-quarantine[.]dataservice[.]protection[.]outlook[.]com/spamdigestesn/spamdigest[.]svc/releasespam/orgs/b55dcd02-8c11-4911-9234-0f2483650458/users/rebate_buydown_accounting@murphyusa[.]com/mail/ee009b34-6261-4b6b-3f6f-08db2b0ab595?token=1%2bEKEewxG94MO8mjEGrOyOBReUdyUWUFnDEh%2bgkVHXw%3d

General

Target

https://nam02-quarantine.dataservice.protection.outlook.com/spamdigestesn/spamdigest.svc/releasespam/orgs/b55dcd02-8c11-4911-9234-0f2483650458/users/[email protected]/mail/ee009b34-6261-4b6b-3f6f-08db2b0ab595?token=1%2bEKEewxG94MO8mjEGrOyOBReUdyUWUFnDEh%2bgkVHXw%3d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240832726624199"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

820 chrome.exe
820 chrome.exe
1328 chrome.exe
1328 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

820 chrome.exe
820 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 820 wrote to memory of 4072	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4072	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2196	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2680	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 2680	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3776	820	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://nam02-quarantine.dataservice.protection.outlook.com/spamdigestesn/spamdigest.svc/releasespam/orgs/b55dcd02-8c11-4911-9234-0f2483650458/users/[email protected]/mail/ee009b34-6261-4b6b-3f6f-08db2b0ab595?token=1%2bEKEewxG94MO8mjEGrOyOBReUdyUWUFnDEh%2bgkVHXw%3d
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f08d9758,0x7ff8f08d9768,0x7ff8f08d9778
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:2
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:8
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:8
2⤵
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:1
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:1
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:8
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:8
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2568 --field-trial-handle=1812,i,16931332859346436454,98224063333587673,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
882B

MD5
8ed59a66c8749bea51f811c410f88970

SHA1
60c707a585ca1a14c16731f3beea1bb8331faf2b

SHA256
e0ad6a43cd73b527938b094a214cd30250b42b99715c29f96f160722c1d3f4bc

SHA512
5adb77c3683b6998231392bc338753f907d4806dc8b67a34318fbbcacbf270f0eefd59e28517139526f98a847c7e0f172b0843ba9117da83030c425fd6064a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
103018b5a651730e384120c837c0a1c0

SHA1
6315735c93a582bdf2ed929e2e52a680549520f2

SHA256
02153ed07dbd5c093f3579aed0e331d3655ec7c6b10115a12115f0559957452b

SHA512
8c2f26e2f86fa580765241305c182d8785e7be70c17bba63fcc73d0f7c826439893c155687a05c26f3d6cd90e003804f9964114bb3184f2752fe93ce65fdd417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
cde260921b523e4665879a8ec46c27d2

SHA1
7e02d44d463e15119fd8c3b46ef00a5a2d33e59d

SHA256
af7e1835c747a3705fe30ea5d8c795d178b625edd3d30d866e2fe683f01e73e7

SHA512
fdc36845dc7173b6c476d11839fb24dec25cacb02f613581d898af1ad54008cc9031aa5de0f4fae412484e0ade4d73edd50529fabb7c9b5d0c0e29f144c52245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
edd4d36d15c5cff6e77f3273bf21ccd6

SHA1
bd75cd4e60a22831242891b725f6f7f6583b7085

SHA256
484ee625136b1713eedc406ab2abb5618c1235dda9326ffdb1fc481fbb7ce8c1

SHA512
9a6bf1f55fed5897ae0c98af14ee9ac2c119ebc6eeb1795fac26e1c950db80df73b07c636a6afe8f70aa330bb05374e8e47ae5f8031ab0c71e7875e8bc036b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
d4d4f2b80be2b19138265ae8668c880b

SHA1
c0bd33a4bfa6d0fce87a305d033c3a538d2f71d5

SHA256
673db6749da3f0231b51242863204862250f34df38d99cc536ab9e2106654223

SHA512
6b3cb68b5cfe995973739bccd672cd6c8b198bc0dba56bb87cbe8c0dd3fb8baab19077c1db1ca5aa8db4a1ed0afae9f060bd7b05a897dd79b7a7f273fe358792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_820_FAAPRVYNONGREJMP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads