8f68818a658dcae93f910e09cbed147c438a636b9d27b978af0028e1fc6fbf09

Analysis

max time kernel
40s
max time network
286s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/03/2023, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ContractTerm_Malware sample/ContractTerm 725365 Mar 22.html
Size

158KB
MD5

9e9566de08e8427298cd54ed7aad8ca0
SHA1

2e0c46dac89438e5b7b73ce86dd644e565337a68
SHA256

b4d5134866378f2a0585b60d8ebd79ee25161cc361915c83a7ab8d95bf3970b5
SHA512

4a0aac83e17aafd1c9ab5f6e3fb6021e362df3ea781c5cf1a782dd453c7c68100b9e3c768347e65600a27ff7eaad3badfacfaa0f11b97b671c0909905763b5f3
SSDEEP

3072:jGGAiOcZPE0ijmnFysU2CCVkdolGGAiOcZPE0ijmnFysU2CCVP:j3ccDEyl3ccDv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1644	1932	chrome.exe	28
PID 1932 wrote to memory of 1644	1932	chrome.exe	28
PID 1932 wrote to memory of 1644	1932	chrome.exe	28
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 1876	1932	chrome.exe	30
PID 1932 wrote to memory of 700	1932	chrome.exe	31
PID 1932 wrote to memory of 700	1932	chrome.exe	31
PID 1932 wrote to memory of 700	1932	chrome.exe	31
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32
PID 1932 wrote to memory of 1488	1932	chrome.exe	32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "C:\Users\Admin\AppData\Local\Temp\ContractTerm_Malware sample\ContractTerm 725365 Mar 22.html"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66a9758,0x7fef66a9768,0x7fef66a9778
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1328,i,17551778872383390404,6930016480587170361,131072 /prefetch:2
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1328,i,17551778872383390404,6930016480587170361,131072 /prefetch:8
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1328,i,17551778872383390404,6930016480587170361,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2176 --field-trial-handle=1328,i,17551778872383390404,6930016480587170361,131072 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1328,i,17551778872383390404,6930016480587170361,131072 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3284 --field-trial-handle=1328,i,17551778872383390404,6930016480587170361,131072 /prefetch:2
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=1328,i,17551778872383390404,6930016480587170361,131072 /prefetch:8
  2⤵
  PID:2360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\04edc733-4b37-4a5a-97e0-d85f1ef9a77c.tmp

Filesize
4KB

MD5
7b98ab91a999d18be22daafad2703907

SHA1
5d1a9295ffefabab4d4d92219debd41aeffa349c

SHA256
6e829c9ae38878b1e98f7524071f169d4f9052886294163d674ee36ea5252607

SHA512
9561a77d5da14b2d45cdebedb48bffc7a387d8fab933b50ee388d09c1b8b3cf111e9e524a161f1e54995f8a423387e6824c9e04ced5230a0bdfe8c1c8be8863d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6df6be.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
52dffe8a61da4c843588882bec2dc591

SHA1
77d981aae9daddf5978bb34927e59678be1b50b4

SHA256
b282e2722a4411b1e242b70a0bb7dcede49f4501a54d2637740847e6046ef1db

SHA512
8fe2b7c1899b35a992007bbd5369120bd4cf6dafc475a67a9a913c16e6a88db93335f7bce30b73899eb4e59ef1ba05d53d0770a043d303eac8ea46326752702f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3121f86f3f7ad043c1ee7ccd280b3a60

SHA1
eac3bc9690af68aff8f18d22be3d3cc4001bca53

SHA256
02dbe1052e97ffa7c3ca91ebd8c91ad228d13627b2da0060f8a1aa5d5a58de4d

SHA512
4d768611b9b81fe5b1ca3115ce46d9fda98ec76970e908479801715d348fe70af22b944f3ffe41373c08a4dfab99f71d55a73538298e0ed7005b422d27bc29a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit