hxxps://protect-us[.]mimecast[.]com/s/LBfPCxkNrjTLW8QrJC8SDzv?domain=willplumb-my[.]sharepoint[.]com

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protect-us.mimecast.com/s/LBfPCxkNrjTLW8QrJC8SDzv?domain=willplumb-my.sharepoint.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133268950692095795"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
4576	chrome.exe
4576	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4104	1644	chrome.exe	84
PID 1644 wrote to memory of 4104	1644	chrome.exe	84
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 4392	1644	chrome.exe	85
PID 1644 wrote to memory of 328	1644	chrome.exe	86
PID 1644 wrote to memory of 328	1644	chrome.exe	86
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87
PID 1644 wrote to memory of 4328	1644	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://protect-us.mimecast.com/s/LBfPCxkNrjTLW8QrJC8SDzv?domain=willplumb-my.sharepoint.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc04d69758,0x7ffc04d69768,0x7ffc04d69778
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:2
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:8
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1748,i,11011587854307224082,3553475065055880838,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
38d6223a9bdbb4bab16708544b98322d

SHA1
9d40be588bbff31c8752aa17f68bd49a2e8a3206

SHA256
b08a74db6407cfb01620f74827a21a8d3a6f7688ff2efad766294c96d8cfad9f

SHA512
577994a3378bc530e65379239a1f3672bfefea5145b9fe72a64105fa80d943725a519903767c3bd536ab1745f4572caab2b0d72fd758c386761bcba44b834a4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c8e02e0dc07836b921837c4d2e2dcc86

SHA1
a92c444a66089e3147a144764b0a8c480f6c2018

SHA256
6449e7e5c06021860378635dbf74a035ec578046571544feb5d542cca24cabfe

SHA512
69fd9cd6f7eaa151c267c06751715c248f1394aef4920ce2c35d2f0aec751e4cf3e9b2ea07138998660d63e5af5ba3331af7e74ede3208ea57b5d57198a792ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7f1a2b9659cb0e2e2d3c24fcda5ee0ab

SHA1
87bbdb1a1e6d2e44828f0104e20a14c834c48646

SHA256
a386b525621febb18626dc8560f9ca4a09ee0feff121cb91c60ffe85edefad4d

SHA512
9d036b21409fa51eebaa74c0112943c2987eb21a4747a375504ea8e45dca4248bf86ad6006d373529b45445ffc36a61f584e360a44b9ee4ce14cb6c28fa7d655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
15f0a0a337bf631ac6556d407caa26f2

SHA1
facc85c7279ccdfab86d2eb3787d175c4cb8f5f3

SHA256
a86e1c2e53fc1cf6addd69dcb7336e9d5231efebe4e17230efb031ea06f58e57

SHA512
191649d1cd369056336acee492d049c81130fbf48004e9c7e3ed3740e2fd15a343f725e6b665db1695c18e30c3feff733c74fc72d049012ddcb2dcb0d69d6e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
7a27d41091711a58f1f296a38e54c032

SHA1
56811843db13d8697d71182476cc410b4f782e01

SHA256
3e35345b95e45f8c89dd95cea85f84ccaf82bdc8340a2dbff5f7601a2f28daf7

SHA512
6a1abdb7619e1dbbbf036df3e4c06c88ba58f72cd5f136f29059ed4a58273b19a7fc0f51db2978ad9b26c8e97c759bcb2c44362777f07ab48a5686098bc1a278

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
3d003ab298f38af76f64388fe785aa61

SHA1
e5fdf855ed05519e8acb861fb9ffa0b95bcbfe25

SHA256
9953be75fa910c2a19136b2d0440979876dbfa1579239e89eabf213cb3d9bc58

SHA512
3b0b0890fa9e2a0169852daf601c6b97ada6ee6fdfce6b2f09c8a8e674b3ef06a797795fba727784eb6ecf4f16f94d4101a6917424241880644ccdcdb2c002dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
f7b33b9822ed1ef21e7d0d82dfc783c5

SHA1
6179eff70723f86f3a275abfd8f6b3ab23d9d6c7

SHA256
c4821b6c448703f4714427370589115a53ef6ebaf7c74f6416ad5b2a2a3c89b4

SHA512
5f1bb92b1e7a5242a5a644b37466c3b825dac05f033c0358d570c59dd09d364f66e7104e041c85be143213903950aeb37e2addec67401b9d30b594dc81779350

Download Submit