8f68818a658dcae93f910e09cbed147c438a636b9d27b978af0028e1fc6fbf09

Analysis

max time kernel
300s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 09:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ContractTerm_Malware sample/ContractTerm 869822 Mar 22.html
Size

161KB
MD5

cc7b27bac8c95a50cf99a01162fe904d
SHA1

f3ad3d1f9dee2811e0172e06cfaa23c6cf0b341e
SHA256

53cc9cbfee6f80b7d5a39085676fe4838a3025c7cdf374f55523f71267564822
SHA512

f3816063a8cafd867384f4237a0d9e9e65efe013e1ec4acfd936c3fd1eefbd717943028a7f94f46e496e9a5bf645edaea95177a71ce9daccc29c4830fc8e3ace
SSDEEP

3072:I+YiSZim0uDnZRq7eg1DP5doDkiSZim0uDnZRq7eg1DP+:I+pSZim0uDnZRq7n5P5yDFSZim0uDnZL

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133245631856383161"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4784	2136	chrome.exe	76
PID 2136 wrote to memory of 4784	2136	chrome.exe	76
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2604	2136	chrome.exe	78
PID 2136 wrote to memory of 2400	2136	chrome.exe	79
PID 2136 wrote to memory of 2400	2136	chrome.exe	79
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80
PID 2136 wrote to memory of 3492	2136	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "C:\Users\Admin\AppData\Local\Temp\ContractTerm_Malware sample\ContractTerm 869822 Mar 22.html"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc12a9758,0x7ffbc12a9768,0x7ffbc12a9778
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:2
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:8
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4984 --field-trial-handle=1812,i,7837268926365262384,1503180851682710122,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8f3ab581-bad2-496f-925e-556790c4c784.tmp

Filesize
6KB

MD5
da561d0d5b0ed61dd8ecb374d0218474

SHA1
32b3b81fe1a2841e30227ff9184dd9c10d2acc5b

SHA256
8546fc5dda84c2048dfbf0cd0c5ca0d019ea737c4422526072704287c1c3fed4

SHA512
6dbe88470e03126900e29559e206cd03616dea810334d241aa4b7662fa6a8f6d6096c053c242e44cea078a7ac1cfa4e69e9c15698d8ff0b1c42cd20526dc9006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cdac33b33c73f6a2718109f93c8b4aec

SHA1
b5ba955cef743fd36d51414eed226922106119f1

SHA256
d03578b7ea59a3c2ea81fef512ba11d5b04e7b4be33b3b551cf3ed5bda0aaf79

SHA512
ad9a42e8507a56fd41080fe1e8e4d2ff20f10d617805a2751f133f5841f2dbc113caa07730ab8072e304f4a36afb45d867fd09bf23d130c9a30a2fcd556024d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
2631507a7f24186013881f75f2c2bdd8

SHA1
22c7b6336f79a57eeadf33f9dbb20780ea2e6b11

SHA256
4da55e69420c42c1a10617e22d2a6d7e0835492a9444632e62876a60a5b988f2

SHA512
0b9ee1a2a00429ce6168c0b99e8aa7e6eaf4a13beb66abb21e251b00bd1d32f1dd5437acb94b6ad56df85362db188d089cf31bbb2c251bf6fcf1c826e844d9fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b24ef962852b83b570448b868a82f6ae

SHA1
68cc071d030c76201611dfba54d71461cb62d97f

SHA256
a40d2e17b85d7fee6f56e1c2deb99183e356619101c74e5663b37563fb7aa558

SHA512
ffabb89d738619e8b4c1f05c67df8370becc3a9b8963b78e1b10d952e67b293724990fac240fab6c9d79246699a6505048d7787c72102f69fecbfa2e5045d154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
653910b52c1d671000961fa47b9e5e9d

SHA1
54ca9ee218862c890feb60be410942009e7b4d4e

SHA256
203d29e8d06996cca72822a1478c0f9b818267a3a7e9059ad3e65e85d1f9b768

SHA512
46e34eda0b9c41c80d8ce23d16345a27753a43620a4d77a8d10fcd0158f13502283ad436c1ebee67488561ed773bfb7443706bd43ed53cef5dd729605dd8130c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
7cbc561c6512b7363af19b0343bebe3b

SHA1
108cae64c4bae21282a07f809b7c3ce8c3ddc591

SHA256
99c03f37f656b59da34371d7e9588e3ff7972a5b9c56d6b9a2d49640596fbdcb

SHA512
a8b4688305a704bc224d250e255200b2ce41546ec335179b8f22d2b511e38aaac0d0f14422491bd23daa72d5c4739a34b378d27721b10ac57828df84e884f112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit