hxxps://cmb[.]eu1[.]adobesign[.]com/public/esign?tsid=CBFCIBAA3AAABLblqZhD8CKNQGg-Ai1c1hCUBSBrQUNGWDpuWK-574d2IQxutkQLntS0u4IVhN_-8AzYncdAbjj0RlGfPYf58WB0QX2M9&

Analysis

max time kernel
80s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cmb.eu1.adobesign.com/public/esign?tsid=CBFCIBAA3AAABLblqZhD8CKNQGg-Ai1c1hCUBSBrQUNGWDpuWK-574d2IQxutkQLntS0u4IVhN_-8AzYncdAbjj0RlGfPYf58WB0QX2M9&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133274513586680881"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 4280	3832	chrome.exe	80
PID 3832 wrote to memory of 4280	3832	chrome.exe	80
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 480	3832	chrome.exe	83
PID 3832 wrote to memory of 4376	3832	chrome.exe	84
PID 3832 wrote to memory of 4376	3832	chrome.exe	84
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85
PID 3832 wrote to memory of 4336	3832	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cmb.eu1.adobesign.com/public/esign?tsid=CBFCIBAA3AAABLblqZhD8CKNQGg-Ai1c1hCUBSBrQUNGWDpuWK-574d2IQxutkQLntS0u4IVhN_-8AzYncdAbjj0RlGfPYf58WB0QX2M9&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0c9e9758,0x7ffa0c9e9768,0x7ffa0c9e9778
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1824,i,3717818957438645154,1835840932644113165,131072 /prefetch:2
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1824,i,3717818957438645154,1835840932644113165,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1824,i,3717818957438645154,1835840932644113165,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1824,i,3717818957438645154,1835840932644113165,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1824,i,3717818957438645154,1835840932644113165,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1824,i,3717818957438645154,1835840932644113165,131072 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1824,i,3717818957438645154,1835840932644113165,131072 /prefetch:8
  2⤵
  PID:4892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
1e26d8b07eca2e2e1ef7141cbb969616

SHA1
f8f8f6d65000bc6d929dbbe52cc687a2da346f55

SHA256
ae08347bb97678160886d9b9753eed121e3494e49d83ad033eaebb105d12a498

SHA512
195c8cb85f2049abe0072cccb6ca606de1ea87794c15c1cfa2d54c150739266a4dd701b120d242dd78608965f606caabed9310e147efa9ba708facb2e1a29440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2a4ee1aaea8c5d87b114b4261b736009

SHA1
14c456353fec3c6e342549ccdca96aeea6f8e11f

SHA256
7219990d60b74d08bed9a09cfeaa52cf8a631a6ed2150433759126ae5bd445fd

SHA512
0f6b968cbe22f858fea4831f812b22aa673a1afa6b67d1bb72bd0a45f6f046295dac002e2f436cdeb09075dd14632a0c63f0180c9831e766dfeb921b4748c516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f790938175638a7b1046e922d9bb308a

SHA1
da2dfa04c79b9c5e52bec2f23e6d83c067b0a82f

SHA256
4d5a6e7e32f4aa5be56ccdf98fbd6be0a88386639798907044f6e4a3d9809d0f

SHA512
5ed6e1243a40481dfe2a7cf7703765de8669922a7b24af2e2d37835cf7b3559eadb5404e40df6174a4dba4fb49e73e61a57da4b3a2d34e30f3d33666aa40a3b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cbcefe43031bbe4159a391308d7c0502

SHA1
d0773d0335fe5379bfa8522178d05507fbbfe207

SHA256
1ff98843148ce36bbbfe50404249a27c4724621906f7c0f7f6b2a14bce5e90cb

SHA512
d5df702546041532188962e9d84c425223cee68e761f9f1cf0ea59d396541f52a50aacb1b9882a907898f1656f307200e52d44df8cd5a332c415765711ffe4ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bc970094b71941fef04c9158703f92f8

SHA1
08d33cfce21e64ec00299ac1ce2029e87000a4ad

SHA256
7173196c9918694b281d2b3627e1f1baa72a9e1d50bfd00daf14b5120a437a16

SHA512
0ce0263deb6fd2dc0b9eec20348caeb19768feb30d48bdcc66a2d3aa849df5cf17995ec81187d05238fe4ddbb2c1bd26be789b91dd0f997c63564030553c94a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b5ad5605c6864046106d97a19d077996

SHA1
32b8924ff222dabd1026933f69d3b0c69340a63e

SHA256
a1d23c92977b7add5e150a1a377796da316253d626f5544abd44c4f1c403d450

SHA512
a87a52f7980fde4d6aa515b460c04e8d3d26c9d8da145ee2ba331eec8945b77ae3a0faaeaa147ad30c3b8a08c2117550a3850a279687a91bccc3f824bb496ebc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
c23fdb9652206f6167e355410d4e1234

SHA1
70286a5ef09edb9573d1eed2b67f16966c3e99d2

SHA256
a7e41c5a6f4c05d6944ec72ba1265778f462078d99335b92dc94b464cf3d1a94

SHA512
5bcca5c9fb57c2ee626f2ea21804e74629ed4e0c181f9ce5e6be5204bfb0b4bda8d1794bc3642f01f14b387075ac79624d9f297571e75f1c90db5720bac25eb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit