hxxps://protect-au[.]mimecast[.]com/s/ZGgbCVARnBTxgNWriGXBB6?domain=email[.]mail1[.]onesignal[.]os[.]tc

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protect-au.mimecast.com/s/ZGgbCVARnBTxgNWriGXBB6?domain=email.mail1.onesignal.os.tc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133288531497463098"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
1796	chrome.exe
1796	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
636	chrome.exe
636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe
Token: SeShutdownPrivilege	636	chrome.exe
Token: SeCreatePagefilePrivilege	636	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe
636	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 2748	636	chrome.exe	83
PID 636 wrote to memory of 2748	636	chrome.exe	83
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 2932	636	chrome.exe	85
PID 636 wrote to memory of 4036	636	chrome.exe	86
PID 636 wrote to memory of 4036	636	chrome.exe	86
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87
PID 636 wrote to memory of 2960	636	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://protect-au.mimecast.com/s/ZGgbCVARnBTxgNWriGXBB6?domain=email.mail1.onesignal.os.tc
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba01b9758,0x7ffba01b9768,0x7ffba01b9778
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:2
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1268 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2780 --field-trial-handle=1832,i,12895475007938938199,11135480793841927769,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ef67b414e91d90af3e18c0106888b0ca

SHA1
284017d32fa0400395dda138cf92afd38c84ca28

SHA256
58d142b47f5741035114dd6b16971b83d31e5f4d97d68a9b3fa0faf8f950e945

SHA512
50a3cbf044014f9c8a177d0d7d3da8a2f2ca4dd0e5b88b1b092ee39c669397d4799b1aa886a6f42b22463a86a5588f7ef95ea9b2e9ccd10716c9e406fc243ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b41293672d7e1889fda740f3172dde3e

SHA1
f7e6b1d68a8e90b8751124ebbd91024ad1da1fbe

SHA256
1e076cea01ce02ffdba3f97ef9592a6ccd075585ef205c4d051f977438b4c77e

SHA512
6c077cf329a00ea1a0c3d2438c8fb87dceefeea28ec5b49debcbbca7be6810b061eee9682f886458a98d2a4c79feca83a21f8491f3bba2e225423825ad338147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
1b7c5d0f0a7d8e09f4c10c7a27304b3f

SHA1
575dc635fd7869dbcb8dd3b395c965eb101223dd

SHA256
1eace49b74c0a978c63c8068cc4466bae1725943194d7a90aaac1b4d99560ab7

SHA512
6e8b8215527ec27752c8427c44995341b067039729f426139f7c05c3c70837d87fffbc29bfde0654cc2888e769940ada9f931ce5c3fbc8a6c09754a7114dc3fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
959a6cba2f1a567dfc3974db697f116c

SHA1
a1b65428c7e6f463b16065fac1ee9276549b9a60

SHA256
d0fd44fbecf73653162cdc3af45d82525a3deecfcbaacff293ba972c4b21d4ee

SHA512
86647a0f6b47719ae70588e50f92c92afe200ea3b66df5b57ad91b416f709dd03deda8dc79934f5a14ff1f48a9ec41f250947452bc35103a00f8eb5cced88377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b946037045498aec40efab7c6163a9ba

SHA1
11330a9cee42a98a903c40be0596622984ca6ed6

SHA256
f1611369108685d9b077d3ab19006a70154d5995e437f0069e47bcf72d01bed7

SHA512
0c7dc4870b468c83859529f2d09e84b9d630037a7edf8eae7300472b2c430fa89aadb4af3e3813e4759e33f612c9a7d46349b41541b584effc7764d7580e5b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d92e43507bba66cae33d51af493fca80

SHA1
03eebccad2b929e6922abfaaac36a495130040a9

SHA256
d5a3f0de1747d534e713b7bc58a3c7f6bdc3793ec0ac367a9e106ae27c5b6fa3

SHA512
f21150bb32d371caf23e042fa30c4819eeeba2f6abf76c57b09f5d46c4e4769c0cc60b0e7d4339c22673d8b93e084772fe325e79b0b0a64779ca2dad08a77bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
fd895cc8085c2c8589ba1b4fa9bfadb6

SHA1
57d9a19f4c0da4d60b06311de996b71c2301f8cc

SHA256
a753d700c67271e58214188f318dba0e86c17188bb3b11eb9c4808929d3a82ac

SHA512
ef168e8f6b8aad2524c7355d3561f0774ed273e9de285c3ebc9f1dcbdd6f87e9e512242d454a90391254209ddc1ee45843c429d29f9c9c115bd9d0818b18fb9b

Download Submit