hxxps://click[.]email[.]vimeo[.]com/u/?qs=80658e5238d4fb1efa588b04992fe830e5dab8d7fbe028484e0206c747c48f13bfb33c482d7dccc9be851db9fe4af97fa0952e10bfa54404eba0bb4ac9be39fb

Analysis

max time kernel
28s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2023, 13:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://click.email.vimeo.com/u/?qs=80658e5238d4fb1efa588b04992fe830e5dab8d7fbe028484e0206c747c48f13bfb33c482d7dccc9be851db9fe4af97fa0952e10bfa54404eba0bb4ac9be39fb

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133293292414484686"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4108	2492	chrome.exe	85
PID 2492 wrote to memory of 4108	2492	chrome.exe	85
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2200	2492	chrome.exe	87
PID 2492 wrote to memory of 2220	2492	chrome.exe	88
PID 2492 wrote to memory of 2220	2492	chrome.exe	88
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89
PID 2492 wrote to memory of 3124	2492	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://click.email.vimeo.com/u/?qs=80658e5238d4fb1efa588b04992fe830e5dab8d7fbe028484e0206c747c48f13bfb33c482d7dccc9be851db9fe4af97fa0952e10bfa54404eba0bb4ac9be39fb
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd499e9758,0x7ffd499e9768,0x7ffd499e9778
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:2
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4696 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4828 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5164 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1772,i,1850345863709025636,14870206677380539678,131072 /prefetch:8
  2⤵
  PID:1524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
53fe8ef54bc7c6d72d6f4ba51d876237

SHA1
c021cfd2ee1a682936980d99047f31fd33eefd76

SHA256
285a48fcc018b82da717ee1055e4b931d2b18f7a369209c7391b4e67b89f56f6

SHA512
f043440ed30da3fa7e27585494bc83d4f716c3a11da35ece908f1c8b34366eb44cc80f2223c07610bd02403394d8c4d4423eee13ca4a636ca09a626ab7a586d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
64c887f7529add1eaa85245c2854b236

SHA1
bfa76b1d3963cf1433aacffa6072260b94d64140

SHA256
b4c999903e7d8443ff1f5ad9b9dc22085f35bb1b0905c38f7fa50c008156ebc5

SHA512
3235744aae29a270980a6f743b6265fdc690605de6133845d98602fe2a1a0eb4b7ce49643e9c21bc228b44fd57491274cfb26345b670b76b5b12183c1a2254d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a8ee818165d75100c3e8a97429ae4c67

SHA1
fc483bd237d43fba6fe7e1b0291b16471d85fc04

SHA256
19f0c654dbf6f4eee025eb99bab0345b52e891218c28de57225a4f355e40e395

SHA512
59d57eac5cb3e1446b1e28f1971b833e85f8eccf2cbb2eac133472e621ae5396588c6ed929eafdc639ab4df18097460ab06897ab4ee403899ef627811a974a59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
c43d932911d5e123dbdaecfbec885efd

SHA1
37736f28838f35a7a2b47d82489e3813c571f9ee

SHA256
a83ce14142ddc1eec24f627bd4b416a6bef7b9950ab0783ec366a4381ac16e4f

SHA512
c313a97d5a308e681fd881eed9fea67659c5dc62d321511f9cfba8a5537ca43f9aa605224996b6fb7162bc0d03fa199b5ee6ca70204415b44949aecd6a0dc9c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit