hxxps://myfinancialcoach[.]com/sales/

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://myfinancialcoach.com/sales/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133278515897243107"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
4924	chrome.exe
4924	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4448	2416	chrome.exe	86
PID 2416 wrote to memory of 4448	2416	chrome.exe	86
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 1644	2416	chrome.exe	87
PID 2416 wrote to memory of 3540	2416	chrome.exe	88
PID 2416 wrote to memory of 3540	2416	chrome.exe	88
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89
PID 2416 wrote to memory of 3148	2416	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://myfinancialcoach.com/sales/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9578e9758,0x7ff9578e9768,0x7ff9578e9778
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:2
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1308 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4860 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 --field-trial-handle=1828,i,16746132898067374539,11942197109726154809,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
be6bfff50a4bd317718f3e5a3946ad1a

SHA1
07a25bfa25c51ef23c0fe2ff314ee2d92beed2e5

SHA256
d6199b7c5d884872214677663e79498655f1b071df5aff62e2485da76520dda3

SHA512
f633e0aa39263379a647edf50910ec802fbc61b5bce4b254a25357baf24b34c09b536b36653c6906c7dd18e20d760dedb6b326f2a84e636d8098318cfd009626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d96a66b59c88cb0f6b3a11e2160f98d8

SHA1
0282c6996e779693b9fd4ae493080d254d809461

SHA256
6ba7c1e0487d94cfcbffd540e09f13c4ba223781f39f1a4831eff1700d0c55f7

SHA512
c12d984002de1e6633269090eb557fda58bd0232569d6e0b8bee5656e03b16d4aff6417c4a237390f7ddd19b82207cf35f6660c50aa4a6cbcfff9973d4d338a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c482a361f59078537af43f2f44a60a4a

SHA1
936ec813acf534f35fec34c056ff9fe8f0902172

SHA256
496e10102fe08bc32ea46c8f9aba63e87efa4d7bd0a9842f73bebe9a83ab24f6

SHA512
0704a46865668b4128b4f9c8ca3172ab02b65e6cac38ed97a3ab5240932da664922026693dc9274cc0acdee874a269554b075ba39cde0d960e3724013996347b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aae294273d9c94586491014737cd934a

SHA1
f32868c691b61460cd5df4f626192b3aa6080091

SHA256
21e37963cdc83e438700dd9018bfbdf3d642265460217396569ad3d8bea7bef6

SHA512
75cccd1aab24ece039ef80569b4b269fac10277eebd86297bfbd854de66a9d24c941ac5a0ecf7522ec72b10f70df85fda4979087bb0643d7b53d04ed0ab3322e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7de1fa03bd65497911eb98f569a755cc

SHA1
0c617b6b8e4c17585df2a516bb9d20d89ed44396

SHA256
06e98fa222c220b9c9d56b25e121d39d3726240166b61baf9f9cb446817637d2

SHA512
6a80db7a10dd07df66e02b2a28820ef5c7a91159d72218eb2598c0e7ad246b1a9c8604f9486f46df1174a48bb2528974e8bbb6782e2ff341b90151f0c9261b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5dd78cc1c4e348eb88a5f357c559c988

SHA1
3fe1e65f83c8eb4e50774cba5c4e48015de17b41

SHA256
410e106f87fc39b291a9216dc5922cffe447c7723ec8412ac62db45af608ba98

SHA512
a96606f1702b1b9aef96fd895686e74a88df9acc84f6c63291002c93d1a02e96cb6424aa6b44845f57bd030e5744f9c316f49368fba27b2f2e132ad2172049a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
1be1efc323006eae07a3a3980727ddca

SHA1
3d8ee3f6df8a026dae55e332a989563cbd49811c

SHA256
7c6dff9ee8a4f8bfbf8586281efddcf6385840c2b232544207b21ab7a96a2cea

SHA512
076d1f9009e7be29b85d287732c6ac15d5e29d608df89fc650aca84d8c99b302d73bf4d8e98a75bd440c857d0685f5c145b198318795c1d7cf47b8e88013a4b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit