6d1853c5c661be8fe8a242bb24f2b88224f10eb3a231acd47e0c53fb7f3d06ab

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

email-html-2.html
Size

1KB
MD5

b9bd5996b969c2d218a2ac9ace02b3b4
SHA1

bacdb8090f049b546cf8720195f0472504849a5f
SHA256

407b100cd1aae942b059cf5f76473fd3964d87019040b8b23b05430df48cc389
SHA512

71bf678c8260cb1902d2f2e0aa764ef77f4de6e7ab99300bac4d8c437497f81f5b6755d50fbd100308a1e7d9134bb39ff97c51d2d507ae4d4326fe7ddce5a5c4

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294229763956191"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1244	4648	chrome.exe	86
PID 4648 wrote to memory of 1244	4648	chrome.exe	86
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 4956	4648	chrome.exe	87
PID 4648 wrote to memory of 3708	4648	chrome.exe	88
PID 4648 wrote to memory of 3708	4648	chrome.exe	88
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89
PID 4648 wrote to memory of 5008	4648	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\email-html-2.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaff49758,0x7ffcaff49768,0x7ffcaff49778
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:2
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3484 --field-trial-handle=1812,i,4871854832199669940,10164975215097450659,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
882B

MD5
8d9164c511aa7963fd5e52b048f31b17

SHA1
ca087d89061665511a91ddbb23dbb29e36e100f6

SHA256
116e8d4917131339cceb92523ffddc9f048d9661a5898eab79318a09376da514

SHA512
e26f8330be2c35c1191bc8e71d8f87410301a207273082cb5d456c2e1b864e3741df3da67f1c047c17486326b9b91070cceba4190ed316e34bf6824a552fa97d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c46cca054eaaba57e1a7363394103ad3

SHA1
2f86aa338fa2c6256aaecdebba7dd231fb22a769

SHA256
1af35d5327f098a95f11fb9513a8fa98f9792a4e2b6465cda1e494e1a1f776bf

SHA512
5395ff03c66864d7b20887436a1acdb3f30d4212ee66945d8cb7302f7f9a2e49831fa60d7ff13d0086865c03c1081e6722cb4700f64499a78fcc77d1af5d3865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
66cd6212e6d65a220b23f45c4cc895d9

SHA1
faa95dc8e78328843364dc863c51345418d4985c

SHA256
7983f07ea91bc789f28718bb7b5a8d41d7d739493852006ab96be4c4868d7447

SHA512
93ac22b7aa0c31856864405d598fbc10cab3f06c2838729f0fba97d280c23ed415effbba2412148353e241aaed2332197f752685d8fcfb2c97d7a386578d7cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f0b6f58f-d975-4273-b0a5-4b0df8f86953.tmp

Filesize
15KB

MD5
83446cb4ed92856762ff9e895edb76f5

SHA1
de610652ff8531f573873498f1274aa3d14dedb2

SHA256
49457be6cdbf11dc74aba1b3d8cd0bb99133da616c7ef151ef657fbfa3cab357

SHA512
89c154444463772b78f50fad44eb5dd6acf4ae3c1dbdd1305c77ca3bbad46d1bfe7e18d31f660281f13edce3591e305073fa53ff7d4e0a0ed4862194f852ad02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
2fdcc73acb733e270dddd01ef3611bd6

SHA1
9963d9d3ee65022f6d8d832cbe42b0f40305596d

SHA256
e46ed253a3a8d14f5e745648604d97fad6820a7da76365372204517574179e27

SHA512
61d19254848e96b876bbd2fd8c80b7c5d64a15e651687cf5da194264c1834ddabfd528f636c603de5b1eac9e9ff943cf3995095b362e1cdd57443bb40883092f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit