hxxps://protect-au[.]mimecast[.]com/s/aPkxCwV17BSGzOqWhK7caM?domain=cloudnloud[.]com

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protect-au.mimecast.com/s/aPkxCwV17BSGzOqWhK7caM?domain=cloudnloud.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247142254876851"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1612	chrome.exe
1612	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 380	1612	chrome.exe	83
PID 1612 wrote to memory of 380	1612	chrome.exe	83
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3248	1612	chrome.exe	84
PID 1612 wrote to memory of 3068	1612	chrome.exe	85
PID 1612 wrote to memory of 3068	1612	chrome.exe	85
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86
PID 1612 wrote to memory of 5116	1612	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://protect-au.mimecast.com/s/aPkxCwV17BSGzOqWhK7caM?domain=cloudnloud.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a85c9758,0x7ff9a85c9768,0x7ff9a85c9778
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:2
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5144 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5064 --field-trial-handle=1812,i,15280988933954695435,7123094669315001713,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bc13c23bcbea9891cfc64013da2d51a0

SHA1
db1696f81eb4eae0a8bdac43031d28f46c481003

SHA256
592c093edac1bb62e036020d5f7c9abe6bb8428090fce6caf73be81ed46b4b32

SHA512
9cbec73090fc22e1dc087dd958464a95d3cd44c6234a7cc38e2732b0dbca67d12c1f6b0027ffa4d8c1ad8135b99317e44e14e32d6e5440d6e2d2b0dfef975aa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ba91e24f20b7ade4860e78faa458532b

SHA1
9c224189828b728a9e0774c4af279ec1fcb580cf

SHA256
50b6c739ecb887c4501767482a64346e1f24ab7315655038dd8ce41199662640

SHA512
cd5c38aab6e904e89a4dd71f2b17245c0bccf6d41c6f879cf7ebefbd88941645d63397d531cea51cfee6fb565e67834bdb344d8031a48bc73c904bbfdd9356bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f090b317884ecd5bd9721fbcc08d31e8

SHA1
25c6f52c23fb60d82f5f22442b1b700020ca6d15

SHA256
2ee0072798660bfe304b9580d186c7bafa5406f57590582b50e77a7379c7b6ff

SHA512
984cb20d40481d544017e1d74d85209386f9cd929501836d2fd35e3e3d3d3d3f5f443b0786195c278842e5dafad1456cee3b6d0dcaed1c5dd78eadfa00cc5958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4214f03db1f0f0f2d964e53c08947542

SHA1
4dd7c0270ce1cc7d02558cfeb43c8e184db677c8

SHA256
356ea99a2d5b141faa89a74b970115a6a89de422295e5475686f88378a4f09d3

SHA512
76e49abe1e173e281bc87de8948c20155c2220f4ac2037015d008422d72d8ad7544be4efadff8d5977b35571d3865756e2653f15a713dc5b0c39f64d6ed9892c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1d02b66fe386540028567a05a5484ffb

SHA1
540c20a7ab9490c91b6223a9cfe9e6982b825ae2

SHA256
a316b64edf26d7d9a4f00c10cb71543f51c54c9cb72c9d3e08b8630f777a6ead

SHA512
4f31062719e4d2eba496f0f007076cce93082d4fab2147bad5bddfcf8cfae077143cce92bf26b90960da7dab93d72f1690cc8518e1b7f95f3fe17fdf68e25b1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
b3797dfd224b2914848d6309f17d17fc

SHA1
019672af03547ddfc10f65bbd982937de880ed44

SHA256
9a478c5423461b0ee3582cb7622a572b6f58ca3c887460fd72b7e75b986fc36e

SHA512
e772e0a91464643962a3e94a246f749ababe03316da7178a1982ec899788cc55e81634710bc55a5bba2271ece30aca348604337f960d2786822d52e5ebad825f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit