hxxps://www[.]earthwisesociety[.]bc[.]ca/collaboration/community-collaborations/

Analysis

max time kernel
35s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.earthwisesociety.bc.ca/collaboration/community-collaborations/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133258024919428625"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3172	2596	chrome.exe	84
PID 2596 wrote to memory of 3172	2596	chrome.exe	84
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3856	2596	chrome.exe	85
PID 2596 wrote to memory of 3640	2596	chrome.exe	86
PID 2596 wrote to memory of 3640	2596	chrome.exe	86
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87
PID 2596 wrote to memory of 1084	2596	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.earthwisesociety.bc.ca/collaboration/community-collaborations/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe67c9758,0x7fffe67c9768,0x7fffe67c9778
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:2
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1308 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3324 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1832,i,18218791013233798160,8809375357599261456,131072 /prefetch:8
  2⤵
  PID:864

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
63c7479e7cceb0726ef30f2333a6bba5

SHA1
4175bc32962e68fc3c12072aa2b45db186f48400

SHA256
147fbcd79c3d6547b028b058a81c08719fd9976aca530930724f47f0b5a286dc

SHA512
7b89dc590d5b0d7145af9c7c745a80ed099803f8e873c855ccdccf8e956addd4f0e914d5acf5d72e318047a9060bd40bd6b4d366dbc8017214a1586b481d09c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0b177a5a91676e48cd83071ab9f0d97d

SHA1
fdb2b0a6033afb74f05013e34aaf8ca4fbc0df95

SHA256
6b7848059f90a1c4303932c0f2427160f18a166a2551c34f9a8b31d6b1c0d834

SHA512
ca74c999a4879cdd78205196453081d84122f5e68bc226405027e5695581460ba994beab7663073e068aab5a1159745c8e585c7f9547bf4fd0b4ca3d5fc3a4c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a902df93f908ca4dc1825e99bb5e4a1

SHA1
5cae8169c15ad12e019410d05f139a04c9c9cf6e

SHA256
21f6548239b4c4587c7beaf05895245714c28f257920e0fd340b81ce79f0d5e1

SHA512
52b5be3ff6551238df315284d68423f6c655279db86fa15e88dc9c2822c21b48a9a3a073f9c7b88924f4fd71cf461884c02172e92c21fc15376082e2ed07b184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
debc4ed54800565cb143996f25f73cce

SHA1
40f9945bd2cdeba5047aca316e6c4c402a23e275

SHA256
5b1f1eab97341910e1aed6f06aaaaee64bf90dfbd5e0bfd3035cb16bc7a3cf21

SHA512
563bde10cd0bc3f0cd804e42b015b03be482a646aaa81f623a89abb007dcfa8858ae92a33859253dde11c4765f37d44876c9c2cef0caaa876033fe67bf763eed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
1db1424a44655b81b9998a91ed4a6435

SHA1
7109282d1a4829c196b8e9fb34ef3b298a7b38ca

SHA256
9ebbbf0dc949e6491ba6a3e031e508385bc78d672b89515372ab89c6b4264f2d

SHA512
e65d865f5977f3abe515ab3ecb2e8ddeaf84f60726456c0143171f7daf16625a27937167c2d2b14f098c3ffbb4fc9710ee1ff644788da418266c3c739da34600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit