hxxp://static1[.]squarespace[.]com/static/641826219c0067053903c6d4/t/642cf987608ffb1fe96b4db5/1680669063994/anti_terrorism_level_1_answers_pre_test_questions_online_free[.]pdf

Resubmissions

15/04/2023, 23:43

230415-3qv6xahg6w 1

15/04/2023, 22:15

230415-16gmcafh84 6

15/04/2023, 22:11

230415-14cwdahe31 6

Analysis

max time kernel
1801s
max time network
1694s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2023, 23:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://static1.squarespace.com/static/641826219c0067053903c6d4/t/642cf987608ffb1fe96b4db5/1680669063994/anti_terrorism_level_1_answers_pre_test_questions_online_free.pdf

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133260830429286282"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe
2264	chrome.exe
2264	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe
Token: SeShutdownPrivilege	2184	chrome.exe
Token: SeCreatePagefilePrivilege	2184	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe
2184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2428	2184	chrome.exe	85
PID 2184 wrote to memory of 2428	2184	chrome.exe	85
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 3876	2184	chrome.exe	86
PID 2184 wrote to memory of 4076	2184	chrome.exe	87
PID 2184 wrote to memory of 4076	2184	chrome.exe	87
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88
PID 2184 wrote to memory of 4452	2184	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://static1.squarespace.com/static/641826219c0067053903c6d4/t/642cf987608ffb1fe96b4db5/1680669063994/anti_terrorism_level_1_answers_pre_test_questions_online_free.pdf
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffa60969758,0x7ffa60969768,0x7ffa60969778
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:2
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --pdf-renderer --disable-gpu-compositing --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3668 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1816,i,11526067103422695170,14265938027157563750,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0b627808833929006db4c1e9510d40df

SHA1
dbc3ad11628d08a5913cb4e1bf775b47f919f8f5

SHA256
44d755aeb13a8230452daab1433efe75307e36c6cab524bcc2199ad4ab9b9517

SHA512
702714074a656ff6dd45662647ddaae37cf9cdab9169a51ac93b042473637c1f84c74e5e13ef5154efef15bad0e9861ec732abac3a2b99d48d18e288023ccb14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
bebaf975972946936e18bed2435efdf0

SHA1
272e89c9e1cb29900ab5f05cd5d6fcad37d4b91d

SHA256
1b3f4bbfab0c92f97e89b04d87545e614d73c68160d2759b6224ad74fdf0fa79

SHA512
cbe6fbe003a4fb8be6ffeb609110ee473f43f081380ab78e06ebf888bb56c5f5cadb75a7eda223a943203c2b69d3e81dfe93c9b9a22a6abc0a98e0ae7b1704c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fabf44e2b29599bf1d15e897a8e7ed06

SHA1
f63eba83cac362d9feb6a43d6c6b8900c715fa3b

SHA256
3f72e0d1cdc47d7004e862905cdc8872d6819742d05a3605794ffadd751275d6

SHA512
576b7dc4206691757df7b1f54a43202bd47762375c184de81a936932bab1c979249fd8c1d11168ef6ff0d3992a5bf9af9a84b9b1be673e3b8811b6c34d1a1d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
90c31253c7d8fe59c2482386e59294d3

SHA1
f1d1fc7fcbe0da67318ad0785b28915ef133c6a0

SHA256
83f756167e89b7825f24c9fc0be334b4c1d3bf343c1336c40d80f4e2785b8ceb

SHA512
ac85ba16cbd57e2acabab600aaebdd22da24b79d5df9f8b36ea348846ef79d31cc881d6fd1d46b69e3a45bff80ac9fdc6ab6d12a0ac73481c756b58c2da7c70e

Download Submit