hxxps://us02web[.]zoom[.]us/webinar/register/WN_877w31onTz6UMeKUcba5gQ

Analysis

max time kernel
300s
max time network
294s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12/05/2023, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://us02web.zoom.us/webinar/register/WN_877w31onTz6UMeKUcba5gQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133283428821424666"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2504	2460	chrome.exe	66
PID 2460 wrote to memory of 2504	2460	chrome.exe	66
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4148	2460	chrome.exe	69
PID 2460 wrote to memory of 4816	2460	chrome.exe	68
PID 2460 wrote to memory of 4816	2460	chrome.exe	68
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70
PID 2460 wrote to memory of 3712	2460	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://us02web.zoom.us/webinar/register/WN_877w31onTz6UMeKUcba5gQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc968c9758,0x7ffc968c9768,0x7ffc968c9778
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4500 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4960 --field-trial-handle=1716,i,14205592977946354635,902621964465800988,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
a62691a88d3d11fae925d202f6cc27a8

SHA1
6b0cec9f9a905edac0aeed1e2ad53175efc73fa6

SHA256
22b293581bc3964fbb7fcc63bb1400b62a531f186560a4d210c94c6ced406eb9

SHA512
9eea5cfab9f6abc7706168763761f07c6f0b37c1a7933bdb2f9fa069af7c369f07fb0868953af39c2bf6f0ca881b8577a5ea54b851f8ab92963b5d4b84a1f06b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d071aaf640ee435afea18005f95ea0ca

SHA1
347ff6ebb54fe25ae69401b81304216e7421a55b

SHA256
07f1150cae362e698e805eb3ccc35dcae6e65e3ccea17acfc8339f7d46fb3f77

SHA512
ae3f49a6e9e8af29a9909098afd72f8af3acb6ee2a725391adf54b9fc74f71e87abcf8d698c5f39a4cb56ad23333a65c9b063ffda1db9f2adabb91c3949ad4c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fabfb2f277768b2bea27ef11cd08a47b

SHA1
7f5f1be0899e6db6ea616bea80279986ab6a6c66

SHA256
9fb5e3b25786c68fc0a060c80414ebd15f404684571d062f393e416d7aed557d

SHA512
49be1b4165d1a53370eb3afdfc7a6ac4795b3770f511605ba8818c1942a1896c631e6b208669548e7eb31ea01afef51e39683368f9416bf55bc4afef810b04a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
302f0ab39869169b7b5684618be8743a

SHA1
e3d47d7e1fa05c0cd69774e9e551875727a06338

SHA256
4c74ed8c6605ed055a8c8a969de498591218e0c157313c42694a4898c24014e3

SHA512
2b2037cb007abfd23b878327718c1e3792668f0c98705dfddb87d07de2c806b022adbf7ef28af3b4f4cc37b017835d6d58425aa9afc89138fb23381a2d159f20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
14c3ae4783662a2902b00d5fc80d52bf

SHA1
7b9de9953bbc235281232c8b68522037ddbdc1a8

SHA256
9d98bae6007fdf21452b2d58de236e4f333d73a830766b5a6b75d011f1b7dab8

SHA512
c6c78e8e8d842aed3893453fb9ade2666e855f86b57fe83d27ab4015e745ec46c081488c09fee35e974fee30813869c10e00d893fa72e5bd1ede2707e9104b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c6129847ee4015f741554ba583f5f8c7

SHA1
6153a75f973fb501d306593dae5d736ba4708763

SHA256
cae457228b7b32c5295bb96871af6312c6dc34a9cae5afd28fe4b1515f87aeed

SHA512
c88155d8ca42dc6c75686b11a36ac0e02db2d80497a8123aef5c233aa1ba848c3fe91a16d67fbbc0f11d91f3b204b0791df8421a1d02083bfcc13faa00658d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
ea9bdff53781bac30379c37e9829a62c

SHA1
1743ee2cf7735d0017f86995c09609f73f33077f

SHA256
d4d59d172237dee3e6b48fbc8768b9727b0b72226669f6d854f2dbf769c0013d

SHA512
9307773f48e1b7b3d5c445a0cf6df66deffdfee7b78c449507dfbf3a29efb534748a842f5c0007dcd98406b90617da421c411a2f6748f79f5651ff712d54e51f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit