Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
22/05/2023, 13:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cPH0PR15MB467053BA5E956363E88A08CDE8439%40PH0PR15MB4670.namprd15.prod.outlook.com%3e
Resource
win10-20230220-en
windows10-1703-x64
8 signatures
150 seconds
General
-
Target
https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cPH0PR15MB467053BA5E956363E88A08CDE8439%40PH0PR15MB4670.namprd15.prod.outlook.com%3e
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133292375650571742" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1688 chrome.exe 1688 chrome.exe 824 chrome.exe 824 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2136 1688 chrome.exe 66 PID 1688 wrote to memory of 2136 1688 chrome.exe 66 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 4264 1688 chrome.exe 69 PID 1688 wrote to memory of 3584 1688 chrome.exe 68 PID 1688 wrote to memory of 3584 1688 chrome.exe 68 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70 PID 1688 wrote to memory of 4056 1688 chrome.exe 70
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cPH0PR15MB467053BA5E956363E88A08CDE8439%40PH0PR15MB4670.namprd15.prod.outlook.com%3e1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd65d69758,0x7ffd65d69768,0x7ffd65d697782⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:82⤵PID:3584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:22⤵PID:4264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:82⤵PID:4056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:12⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:12⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:12⤵PID:3684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4208 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:12⤵PID:4716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:82⤵PID:3344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:82⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4196 --field-trial-handle=1760,i,11126234608864905234,5676987603234297980,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:824
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5a591f3cdcd9c294c330e95291d538b9b
SHA1da7318a7f0a24af4030d12b894518b27674d3ca0
SHA256a88463089cfd519fa84a150235ca0d5cfebbf551517c309debe073d5769b7968
SHA51245bb5e4269694ad93878866c4a5d103b6cd5f04191675da84a2aa58fc34c36b3b25e0c0990845094b134b6b9ec50e596b089f3f668de7d5c9277c69d56febeef
-
Filesize
1KB
MD5dab6a9afdf99f3d69639cbf1f320757a
SHA1d355fb722423feca966b7ff28419c19d3849a79e
SHA256a128c56612f5505b1d445604fbaf21ed1eb0891692111fcee0da998b7af3979c
SHA512b2533ae0a470869fb094c80073e40d4ad62da5b7b2363e6ffeb5f1bd8458f7a531ca1de50373396bbbe03c1a1745ecb7910d8be234c52d874652299e199ab32a
-
Filesize
1KB
MD51b6855f6ca2f44604c71f1f2ac9871f5
SHA1063c0bc8e1fcfd27e3d0b457cef61919b3d55433
SHA2564ceaaf8c6e255bedb42d535cfb2ac5b1ee66806329531411ac14613c6f7c0bf2
SHA512c7a63ac46eafccf69df06bf000bbda942f24c91fda69de58f6c95fabfe4be0878303eec25033b797b3d83a65d41606da2d4910faa6988a8658f214af2a5caad5
-
Filesize
1KB
MD5ab50668bfe36b53caf9e6a3693fe7ea3
SHA1dd8d92250a97f223bb998ab1e60a6456a82b14dc
SHA2565dbe2eed84f361c5d74b768e7a037cc8dfda57722dd41a110c44a7465b475f20
SHA512642d19da367c9f0b4270e410ed175033eefc3b27c3f38adebce9cf7b3358a416ac70707020681e36f196294c6ea3a225b3b849d2334e9f35afede9d391ce96cb
-
Filesize
1KB
MD5a368bc616b001ecbb9afe64d2baf4d66
SHA1b0eca8389d97f8876dbb2ae57af05d001bb9fc93
SHA256c899b0d23f7afec0cca9398eeef6d2ee5624c31f021eb155ef414c1aff2acb58
SHA512b8311df908fe8c7ec49d054a260532838aa45bfade1bfb16f1b0242d98286c60447a661f49487131c9193b7c1993a99d8be9df9dc3dd890fb94215293ba63b9b
-
Filesize
5KB
MD5f1e74fb66047e9781a323cae975d75f6
SHA18813873526cebfda4e9b982ad4d321a0ad14ee45
SHA256ace141943a7fdd16b9a9afbc2c8cd412cce5009ddbd5102683c642b8d41e1572
SHA512f948525fe977b86d529aa2b2d9d6169c0857b28d0702b7c9d07b8d85a17dd9e5fb14993fa085bdbfd11e613a0cbbbfe717dbb58cc87e2ab837a613028b7c577d
-
Filesize
5KB
MD5e6323f765e072135d12bd9d19effd42c
SHA1c758f1cf189dbcc16c8ccd5d300d23971288f351
SHA256500b68f0ae3bcc53a0fd251c893909e657064200df8581a7890eee76331d6f39
SHA51212e6129100527f1e63347600b56cb121dc9f0f316f16754297e9adfec8d2903a02f7d3e0c78019501f40dcdf8a8b3246005d7341716ffee12d463c8f6ca71328
-
Filesize
5KB
MD555fe037d05ea5eaa3ba10ec5806a01c2
SHA1530eb6ea6b508f15e9b74086f73e3ad980daecce
SHA2560d0b69403e1e975e7d87dc5b8dd5a262e796bc249939962fd962157ce9f05276
SHA512302a1c3e7b45824c6d51391a7016ca205a30fa4d102959c4c1b5196aa55ea99c621de824caf07cd87e86675e5c91b99e71f8ef7cb21701046c713151058a0d05
-
Filesize
151KB
MD5d5e554dad9c034b60af1b118da4e5568
SHA117bf399030fd9285839c93cf637864c07938bef5
SHA25614c49b9d1f8f7dab7bc2942f0337a8a71f17475df7413abdd799630db4c9c449
SHA5129a21a6fcda8d29d223aaf92420e6634386957724c47a99d28344f341711112a52eb0fc6e556042580141e33758bc28cf1504686d9f99a1d000989ac5c1f604ef
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd