hxxps://sites[.]google[.]com/view/piedmont-national-corporation/home

Analysis

max time kernel
45s
max time network
46s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-05-2023 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sites.google.com/view/piedmont-national-corporation/home

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133287173158101960"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 5056	4192	chrome.exe	66
PID 4192 wrote to memory of 5056	4192	chrome.exe	66
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 4880	4192	chrome.exe	69
PID 4192 wrote to memory of 2804	4192	chrome.exe	68
PID 4192 wrote to memory of 2804	4192	chrome.exe	68
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70
PID 4192 wrote to memory of 2688	4192	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://sites.google.com/view/piedmont-national-corporation/home
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x88,0xd8,0x7ffe74909758,0x7ffe74909768,0x7ffe74909778
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2012 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4964 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4456 --field-trial-handle=1784,i,390638821584081819,11087366285761762779,131072 /prefetch:1
  2⤵
  PID:3144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1d7db543-996f-4190-81fe-e3f2b427ca73.tmp

Filesize
150KB

MD5
1177d695fde32c7b345d8e209cb487b3

SHA1
4713def54e0c385e1ba6fc6b426cd49e2d02c2ec

SHA256
7a083f531492e1cb7e7e1d15c52220cb4f7580a2b09096b6baca7c2e2f8dc2b9

SHA512
6a02a0bedabb0fbd3d674052b372d919d3646873b531c75b926db5fdfbad0f87e550566683d877c6e5823a3c5e72ad1f12259ccbf8cca90cbfc9aa794d2bbd25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
a9f11136908d560d179b9d498c285696

SHA1
1b7c908e12ee4cd30ad528d71e1d077ba43b4066

SHA256
03ce736d63849eb065f79148a44fd5593314c9ea7ddfc0de553776e9794368e1

SHA512
7b302426151e5a4c2193472d92d31a3416c3ee203fe5e9803626ea9c8c6baaea66ddc56ddaebf67fa7f183bbf589159a6c3d02b35fbb24d70a56ff8a267a2ea7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
468abbc5eedf674187e4db1a111d7d0a

SHA1
9c122dfbca048847807430f36714261008efb55c

SHA256
39c8cf438acabb21c41ce357de01d41d0d3e1cc6b90d74e6199c28a3e7654e00

SHA512
fb4ae7410bfefc997dd67696f8a0f380781d197f4b6fcfbf19c05f82a91e4a1779a9d6b549c6b160d8f14b1a787e36e7a2ebb9153dd0dbf0652c13413adcb4d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
c49ac6a3833925c70b99c6a3f6ecc399

SHA1
8e862f80967dadaf60c053d8e3165cfb3fd8d59c

SHA256
30c9614d4d091837c85770646847c8796e0ab7ef73c8d918cbc88067e8a9c5c9

SHA512
652bcca945c880d7f539ebab29bca6089df2d38bd4fe8529db286a1d804e71b323fa8a8a59f7836f1f297bc3f9c612b2f8024c7e382c164ef2220ae634389f40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b8ae412dfaf170ea8f669053a52d99d1

SHA1
bb9a791dc86e5a11743d4a1c8838336ef3cb51e7

SHA256
cc57e1b86cf310a9125b714413b382bef087c29246236ddcedbf61068b2d2902

SHA512
a67b510d31f9dcf64228245fa5722ddc196643ab8d087f9d03dd56b8b8169297642401ca759690016cca5d4f68a5fb334d42d768496ff97f57071d3321af5fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8f67419e98010ce1f4a875339bf2ec30

SHA1
71fe5dc9e84285075aa53e58a5bf9cc8d4e96684

SHA256
f73d2c7f7e1be152f227c049c74f97284f056bb377eb2077f255d68c91c7b71a

SHA512
c4d236dd999b9784e0acb5e7d9678d25a7c0c9ca938771dfe0a60624e390c78c4891cb5a2957e5cd904ee69d315def8721bb67fa87f75cb7f9879c2cfb9c9b86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
df050042c70e8de5e130b4ae854e6190

SHA1
ef030aed6c1cd6003c8ef2910011e33fc16b0f15

SHA256
a3933904b360b40d525a3ba818d15864a88f3ea7631edcdb25123db71e2256d6

SHA512
b76a8150f4901a30b04d7ea0af92c9439e8084ce68ac947d53a328cf8b1bcfabda4dab2eabc7c314672420c4990f8f9aa319fd5340e09e25d5f9bdbf84dbada6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
be054c2cc94ffe27f7401c216e63fafa

SHA1
bea8831839c2742ef6e8876f8b4ca0a34d565c20

SHA256
07ad5bf1fb17a69ca81a93a0d70a2b05bfe035b1afdc56e5168ce473c877946c

SHA512
831558f7d9e40553e1bbcc0b9c89471875d218777704e5328e0afc0600e7c0c4e4741dc11f4bc6ab812dfd636945098bec463915ac34a81dc7f725171d1c7df1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit