hxxps://lets[.]go[.]mcknightsnetwork[.]com/unsubscribe-sure?elqTrackId=cfc2696e8f994ec783094732a8906b5f&elq=26800e80a54242d3b9005a1f01b47f45&elqaid=4089&elqat=1&elqCampaignId=2719

Analysis

max time kernel
72s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2023, 20:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://lets.go.mcknightsnetwork.com/unsubscribe-sure?elqTrackId=cfc2696e8f994ec783094732a8906b5f&elq=26800e80a54242d3b9005a1f01b47f45&elqaid=4089&elqat=1&elqCampaignId=2719

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290082323764588"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	chrome.exe
1680	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4632	1680	chrome.exe	83
PID 1680 wrote to memory of 4632	1680	chrome.exe	83
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4948	1680	chrome.exe	84
PID 1680 wrote to memory of 4272	1680	chrome.exe	85
PID 1680 wrote to memory of 4272	1680	chrome.exe	85
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86
PID 1680 wrote to memory of 4912	1680	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://lets.go.mcknightsnetwork.com/unsubscribe-sure?elqTrackId=cfc2696e8f994ec783094732a8906b5f&elq=26800e80a54242d3b9005a1f01b47f45&elqaid=4089&elqat=1&elqCampaignId=2719
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff255d9758,0x7fff255d9768,0x7fff255d9778
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:2
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4912 --field-trial-handle=1760,i,13644303930971529653,12254434945062347093,131072 /prefetch:1
  2⤵
  PID:1868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
e34d980f09702d5bc639d023b5f40ce0

SHA1
752d38494007650c934329ec08bf0c24bdef70c6

SHA256
36328f15937967a0a6b1cba83e42fe86a6d80d60e0855f7b7db8ebfc387f36dd

SHA512
152547f147b17f9fe75b7e57735491d0c880bfa9b1ef5096ef0104f073695a244c0328f3ca271011c814ff13c6ca3666bf05f51ac4377d82f563c7e2e1f49203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
99561e0bb6c68e7572bd677d46a9d54c

SHA1
5cc1eac897c3976384448bdb6b80881c5e96cd80

SHA256
ef921d50e4e0c38575d4c6b802d9b3431934568dd18e36243d16ffb37afa531d

SHA512
fca11c4893e0fc8ae3ad6e0e72ab2d69668115c59dabec4d5cf0f6c3184f3e4a298e276e8322740201f0725b18da24d32ce6e55e38a01554db051881e0e8b56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f421aa0c87848ee0b13e746e23548ce5

SHA1
c374ae1134846ffbffe067d8677ddb61f380fdc5

SHA256
ed323e5d5c163d978a634bdf874d44816fd8aa4d959901ad94988e499f4bd20c

SHA512
748fd1bfdcc399c617cf55e676bac7900e4996ecbe4a54aed96c78f3298e796e0afc019d0e53df5f78c10d7bd925674f694a3dbee36631ba9247a98c26ec9bd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
51481ece88e7687e6b6b3963ddb8250b

SHA1
9ac059bfe54f63934f7977df551d16fd75603318

SHA256
7975fd7a616ba0f9570417ea6818f6d6a63731eaee35b56b9ca1c0fdeb1a0072

SHA512
ee9c499780a4ad3177139a4e133826b803f7f72f0f9358943f11a2ff19d9ee65d8be4a9b9b83a5b0d816928e3b5071ba573fcab876e340aa3163bb15e730f051

Download Submit