hxxp://go[.]microsoft[.]com/fwlink/?prd=11324&pver=4[.]5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Squirrel[.]exe&platform=0009&osver=7&isServer=0&shimver=4[.]0[.]30319[.]0

General

Target

http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Squirrel.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240938913952485"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4160 chrome.exe
4160 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4160 chrome.exe
4160 chrome.exe
4160 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4160 wrote to memory of 3316	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3316	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4820	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4856	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 4856	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe
PID 4160 wrote to memory of 3712	4160	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Squirrel.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb998b9758,0x7ffb998b9768,0x7ffb998b9778
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:2
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:8
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:1
2⤵
PID:3084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:1
2⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2936 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:1
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:8
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:8
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 --field-trial-handle=1792,i,8511850647351196791,1241848485258999946,131072 /prefetch:8
2⤵
PID:732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\617d3928-3b55-4c48-b932-170b15a1d2f7.tmp
Filesize
145KB

MD5
35ba1ff68f062afe348928f90bd24c0a

SHA1
ffd9216f4dc4224067a9e5e8b2d3668acc3429e4

SHA256
5efbfcb94b4c3fae3f3ecc416ba34467e85de7bf06e435b92d136c29454c8d21

SHA512
c34b738415f492b623ecc76cfbb2f0ba4f8ad92c0792bd044b635e3dc8e6b6924d1f3fe1947a3c7d39da6fc21962e9e02db68ccaa48f0f5ec824ed1040cf44b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4858fb37-7216-4103-899d-373528b0511b.tmp
Filesize
6KB

MD5
f3893fc77dec40594ae545b80e7cf28c

SHA1
5d19759ab1138a3f7a4a5e5ee64399cab238cb74

SHA256
e4f2eaac8098c44a5ffd2636c86f3113ed7da74eba167ef7ce9d1d53261d4457

SHA512
2015b659c0060426cb267a1966a35d30ecacb417533125e3d4d4182f78da00a83b3276d9beb6a20f37626d78a9db3ad3d79206f609b6d2b5fdec208a43d33f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
d8f95a28078d58ff458cd9fc3c5c8776

SHA1
b92b7d153b2245df79bbd11c1fbfc67f5d9077eb

SHA256
f6f3608c06fe7fab858c941c06e38f5e3d638dac365fe2f697b4be2257d013b2

SHA512
66a0dfe68adb00cf007b660e951b8c22025edb818dc0ecba7e0115454d9eda57794bf19ba0892a17366cdeb367a9e56dfea346bd4473ce1b143e3da7b3e0e071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
13df2c39ba53bac3999a4759c0a49f39

SHA1
f8d97cdf31473aa6c232a055d2f132fcbd76b07c

SHA256
dfc76ba898e035404fec7b45556ffe872fc5b1395ce95f312401d4713a90d9da

SHA512
2659742938c8b4fb6e7576a48f8a318dc472d34d9d0780ab38e63df5bf637e40594fa77ad6f40d64eb07e2f47a51fea8ef30385cfe1d40280e1d839df03eb465

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
62642b8b25b607563f083538035b8051

SHA1
848b866c993b03756b018268ead58cf91433ba8a

SHA256
93c0bb108617ba2b95fd461a93ad711f003caa2e61975d9a176d7397881c0e65

SHA512
159acfc918af80d2a3a5a64b9882870674917c06e44632cc553ea6298239ce11302fa0b7a82f3bee3508418ef2adec209874090601378ea19edbc2392804938d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
1441c21c6908e0201007f4d374a572f2

SHA1
92ffcbf534df511cf0d725c5f54efd232e6bd530

SHA256
62817a1d421b62e47c632049c4ba9bd8a9634d28c6eff2d27a8ede6bd39c128f

SHA512
9fccc3b9ffa954802ac291dd470a3838156d392c300a63d95cb982de7834b317b684d87a16aea440649a5464086c4572e704779d55731516eb9cb99456bc2007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads