hxxps://uxyc-zcmp[.]maillist-manage[.]eu/ua/optout?od=3zd19aec5f48ea1c218bd1d697d7bc7f10&rd=1f238707436ebf2&sd=1f238707436ed2b&n=11699e4c151542e

Analysis

max time kernel
56s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://uxyc-zcmp.maillist-manage.eu/ua/optout?od=3zd19aec5f48ea1c218bd1d697d7bc7f10&rd=1f238707436ebf2&sd=1f238707436ed2b&n=11699e4c151542e

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133241362880928823"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4840	4860	chrome.exe	86
PID 4860 wrote to memory of 4840	4860	chrome.exe	86
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 4412	4860	chrome.exe	88
PID 4860 wrote to memory of 3540	4860	chrome.exe	89
PID 4860 wrote to memory of 3540	4860	chrome.exe	89
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90
PID 4860 wrote to memory of 4120	4860	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://uxyc-zcmp.maillist-manage.eu/ua/optout?od=3zd19aec5f48ea1c218bd1d697d7bc7f10&rd=1f238707436ebf2&sd=1f238707436ed2b&n=11699e4c151542e
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7e6f9758,0x7ffa7e6f9768,0x7ffa7e6f9778
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:2
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1308 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1792,i,176814667519513046,7176597308115193118,131072 /prefetch:8
  2⤵
  PID:1732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
194KB

MD5
7abdeda3ba79e9a717ade24c354e96c0

SHA1
2451c0abe2a2681d7d965cf023d4defe8586a8f5

SHA256
312a8644d50fff30e7597164c9ae65adae91f1890a2800bd1c00e742312bf547

SHA512
cb85aa128770ec61915a80f261d21372e0e670a67e163a78a2f43f68955e4e79a9a3b7fc86367dc5c9ee7b9a4793accc17b44ac3d466ff5bdf88563102c8d02f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
1.5MB

MD5
e7c73066ac6ee31bf54fc881d3d03c12

SHA1
05f3a8423f32292f5183dea5ddac3b382b2fbbeb

SHA256
865f38dd20c22415cba4cfa43a039a938dd001d7239aaa592791e7996a271f81

SHA512
7a29f087a8e9c36816a40b6ac6caa54998e97fa1f9f77c3b2852dab06b923faa3721a13fd8bc823445ebd6ae994a28aed8f6e21728502cd041751ff8d034057c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
01d3f258f67f21a94e383cd8d73f01f2

SHA1
0e6ed0c6f121e8e8e9aae807a78d91c0fc4a3d94

SHA256
75c2bece30665113ff41e1a19e09398145f285259d5a084cebcab8afc740e307

SHA512
dc6ed5642f5116bbd85c67f98795c2d52add6a590aabfec8418a3076580a00087914b6059fed4b94fe6810ec32ac2a50d44163b85620de14cb1ba969ecb09559

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e91f7516d281a1d0b5b43238b8c2ed04

SHA1
00cb84c82b68336410740669d9581f3b31eca88a

SHA256
c1f82136a587ae40515821400ec3d90630496ef0b9f6dc2933842407701d5913

SHA512
23d6af9adb97b4f4d83deaf74d46eb8662967f55cf4226f384eb866bfa06d70948368ea9cdf5d472bc197300ebd38271e10a49210cc07d2d49010e6679f3ea2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7fb91bd9cae6fa78af861f4290b69ecb

SHA1
945415ea5c8f6b546a86bada444cca3e3f28d445

SHA256
b1b5fa2ede03041d6ba48d1ca1f9bb25a2201701c9a9d8aaddd86e25b459e95c

SHA512
695fb2bfe31fe8a7f06a328956024e8a5582933795069b838dd71acae7e949c8308edd7270120687878eabee68f8263366ce71b413d18e51326a7c6a50b94a78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6445afd9db1b88ee38a6e202c6d4706d

SHA1
fb437a8e38a478351a096963d87800e83dbf8d65

SHA256
7393e9b671b8c57c66e2d8c1c2b2cdf69c3782e305f1cbe1f6ba58940921264a

SHA512
0391658f12b89bb8c11d277178baa4063525e4f0b020a6e5cd453734d5c1ae95b5ff53ca25b9f54d5708ca8291710b189f30a558240a681ef84ecbf703ceda35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
146KB

MD5
64ae4e96ddebd39a74568cc5ba132047

SHA1
f909f948324fcf192e6ac271c84035d2717d6c74

SHA256
01c3d14ba92f8090851f1bd11833ba557aa74b03094e0674d5d1b97032fa084f

SHA512
26b7c6c7d73a6842eed90b7de8f8cdbfe98ed7e9796d7fced65146313343c57a056ec9d796f6d9a7ca1b9edd67be9f9dcd13d3ab5d028da860c8c5b56824ced3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
d9f42edc2a875408e2a30ba92b0e4255

SHA1
1cf297247cc08a3d43fc86c7ecd3743cfabded56

SHA256
573659847ae9e06b33a6e408905259b8bb420dc891f546b7c9063cefb472d2f3

SHA512
c0fb158b7640122072248e9101e125580f7be746b3350c786a4441e27704ee13d8c93ff9a621476a013a0b0b7be8ad3669e6bb85df7f03b8834bc2a5161aaa31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit