hxxps://protect-au[.]mimecast[.]com/s/awCNCP7LWvSKKBJNfzxGtF?domain=canva[.]com

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protect-au.mimecast.com/s/awCNCP7LWvSKKBJNfzxGtF?domain=canva.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257417998337431"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2012	1052	chrome.exe	85
PID 1052 wrote to memory of 2012	1052	chrome.exe	85
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 3928	1052	chrome.exe	86
PID 1052 wrote to memory of 2692	1052	chrome.exe	87
PID 1052 wrote to memory of 2692	1052	chrome.exe	87
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88
PID 1052 wrote to memory of 312	1052	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://protect-au.mimecast.com/s/awCNCP7LWvSKKBJNfzxGtF?domain=canva.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff872619758,0x7ff872619768,0x7ff872619778
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:2
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:8
  2⤵
  PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4536 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2848 --field-trial-handle=1768,i,16070860605556117080,5323859297144760720,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
5baf3b80081dc335bdba9555cea98c42

SHA1
1660959884d9c3dc1d1dcab3be400f14e73091cd

SHA256
8b39ceec14e5cc4c6cc0a3dcabe1b6167bed7efed010ea9bb620caca08297fa6

SHA512
8f5a9df68473973561b677f4f29817ba79173cb45db9cfa0a2e9615b9954c5a83609322bacace267e1fe00d884c8da75547943b0f69fd1cf231e7a7ff7cd32c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ee92d3e69ae8268a69b156d70489e979

SHA1
9677968ce04312e4a42c0db3f55507e2ca0a4455

SHA256
b551fd3b74539480dbd91fdb10c27350a287a56fd10fb70ea58d3a1a0e527178

SHA512
a230353294b4a822ee913f1a8d437a613246933bb420396d1beaf71b3b36aee30c66ef611596c011e42447033eabe95396bf9096b7af52c16e3cba10eaa35ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
819dc84a9b5cac32aff634ad7736ea94

SHA1
e4e7f4ffac2e3ce613df14289cac93325df8a6d4

SHA256
dab8510ed95043ec2b4cdc57017ac62324491f124b73e03ea3692194d2933b78

SHA512
d92771e3797769172b27d0ce8aab493d4e2ed3f0b629ce78ee83e4e9eb0ac9046ab349aca9eacec5ada4ffdd9acdc0f0a33ae236e64ecab2b11ce0925353ab31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
370e617a44f5364c8716778cb8a68a15

SHA1
292bd890c3fe6e21085d3a93aef644dfed1da857

SHA256
4234aef366e2622323f23c816912b32deb112bf6ef23341176f5bf0fa07c2db3

SHA512
5c0d4a72e015c26dee46b32371bd628e5c789f959bbacd82271bb3b161d1edb9d6a70aaa01e58bace48faf4a07353c1ab2cef1d73537c98adab6e34e61714399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e514b3dd8fdeb4b8fdee597c77e1dd53

SHA1
2d5718fe469379540316d302e5c8881935a3cfcb

SHA256
818dbd42c01bf8e2e18cd9cdf0f8878b336f440baae84634b543220ad025e50b

SHA512
7b672cd394b6dd25f5f3b97561ffab8e9849ab13927176202cd67a21198731cb49f4e617a50605e1c28e6f2fca3e5771ee1f02dddc6bfd821f8f3e1d47ab14fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
c6762bbbfa0146ee190c56ef1fddec07

SHA1
d22fcdd8cb49c3ecbebe30b2feaafe2c46a88e64

SHA256
281d2ae31c11d09506f87507e2ada16cb8e60db1fcd4b95e146a21492c93a402

SHA512
57e7d04aa676fc0cea1aa6cc0a8ed909347a9186b97f49f1f592fe63e78a996f2e14ee05b05022ad7b263201a9c601d932f24b29e31fdc31287194e036cfbf04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit