hxxps://forms[.]office[.]com/Pages/ResponsePage[.]aspx?id=nVHqdJKXqUqG2bfKuCBN3cT89Pnk-NBCjpiRKc3wOVpUQzNTV0FMVjlHR1JJQkVUNjRSTkdPQktTMCQlQCN0PWcu

Analysis

max time kernel
600s
max time network
495s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://forms.office.com/Pages/ResponsePage.aspx?id=nVHqdJKXqUqG2bfKuCBN3cT89Pnk-NBCjpiRKc3wOVpUQzNTV0FMVjlHR1JJQkVUNjRSTkdPQktTMCQlQCN0PWcu

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133249981321859913"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2112	564	chrome.exe	83
PID 564 wrote to memory of 2112	564	chrome.exe	83
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 4736	564	chrome.exe	84
PID 564 wrote to memory of 2664	564	chrome.exe	85
PID 564 wrote to memory of 2664	564	chrome.exe	85
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86
PID 564 wrote to memory of 648	564	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://forms.office.com/Pages/ResponsePage.aspx?id=nVHqdJKXqUqG2bfKuCBN3cT89Pnk-NBCjpiRKc3wOVpUQzNTV0FMVjlHR1JJQkVUNjRSTkdPQktTMCQlQCN0PWcu
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad1eb9758,0x7ffad1eb9768,0x7ffad1eb9778
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:2
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:1
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4976 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:1
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 --field-trial-handle=1808,i,2685803721467221976,4367267429209900834,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
4a521a11524c84f7d3aaa42b93e57372

SHA1
0950dca222e2e569353cd898716722da19a0cf62

SHA256
c61ab3b77f88443517c9a460615f9d497e8b0ce02e5d091a46b4d2b62cd63717

SHA512
1501a8b5f8dd6039fe5f621c4e13e9c01f3fe06f480c567b40137f1848a4b51452e7ead5be5ff5147ee5a3aac9998e68b9b9b6a15cdedd105515262b3f5319e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\253b3278-6ff2-4a65-8ebc-b1d6cf1d63e9.tmp

Filesize
1KB

MD5
a439c259482eb9247312318a89495246

SHA1
12ac609ca01bbeeafa9d0920f93ab8a49dd42464

SHA256
12b8ce309f21be1f338e47b9fb1071a281e841968d3aa96d1b691562b23504b5

SHA512
44079833e63bc09afc28c3bd8b240c55daa85386e9c20bcae8d7a964f7ec0f4cff3a34e809ab38df00f2fd2e4054125592bf603df6c1e6b9e0c9115adcd8f353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e17b95f358c86b6fa184dd2c42051b19

SHA1
839ecbd432784e87df252afd0930fdefac470e41

SHA256
8df0e29b3224356dc816c58eab15eaac907b10887a3a53f42ffb01d3cbf75a9b

SHA512
dcbe0f446bfc58e7d3ed6f76cd544120ab294fcee366935906aa9ed91dc033d6a5acf636a44b59be2025df9e7be7ff83a5bc8b02dfc762e3a3c8f2d6041d29af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2b39975b0f1dacf115edd9549ebab5ac

SHA1
37fa05c079a9fcd8ff34164e339b7264954bf338

SHA256
ccf71521f9afe59520066fc2a97843a2be65893d3b6411a7714de7a3b322a666

SHA512
6382880805ed7ef77738720721b958f80e58e43d6a5fe8d7b8e58884e41d01ba5a868f987d5e0bf01dd83a24d98d609d474d28bcbf0b8f22f1abe5d3c2708650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
eb88901b613c558677ee22c6fd7cc3b8

SHA1
2245867cdac99aae66d5135e59c97e42449e2603

SHA256
90edcd7e7243f1d40c68adb7d823538a93e051493918ec74ab154598481462fe

SHA512
79ee3aa74036cc85965ba844723fdfcd92b4db9f7dfc21bc7b86abe3b56ca8cf2bae32a987f8ae982e97356057460a69c8bffbf47dacb3fecce43f1a01e8174a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3804b44ebc2f56c1410ddafc22c86d20

SHA1
88483b80e5d740af462722faaf52e70648329c06

SHA256
f6d004a1f656c87d306681642b75e8d95d2cdbaa33a19b8aa3fe2604f6721c2e

SHA512
ac75b733288796ed17450775adb2556304952c7943d8484ed33ce12d2507751b8cc5f382bee4e81e504e9676311a4873672eec594b4c69d40ee0f5375c9ffcdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
8bf2e6cf2c552014aae836acf746f78c

SHA1
1ce3e6bd6b8fe447dcb5ac041c17dcc51a49092f

SHA256
952250e884235dc1d4a67c04a9c708b808e3916d7e1e02c18b461e46caf4bbcb

SHA512
3c18a8542924a731603c58eb9b8818c9ac56d968a6a82780bdd32267f8f9f5fe83cbc9f6dbee1d30aecdd0737c1573ef1d5d6525a030571b041bcfd60a576740

Download Submit