hxxps://wintrust[.]meetinginsights[.]com[//]Email/new_images/ATT38864[.]png

Analysis

max time kernel
150s
max time network
144s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-05-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wintrust.meetinginsights.com//Email/new_images/ATT38864.png

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295588339728058"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
5008	chrome.exe
5008	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 3188	2580	chrome.exe	66
PID 2580 wrote to memory of 3188	2580	chrome.exe	66
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 3964	2580	chrome.exe	68
PID 2580 wrote to memory of 4508	2580	chrome.exe	69
PID 2580 wrote to memory of 4508	2580	chrome.exe	69
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70
PID 2580 wrote to memory of 944	2580	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://wintrust.meetinginsights.com//Email/new_images/ATT38864.png
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe31749758,0x7ffe31749768,0x7ffe31749778
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:2
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1868,i,98390624725852231,6499308218547309325,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
715B

MD5
92abe1a172ecedaf2c6057b52913916b

SHA1
5cd2dc139a06deb18dd3e9e96bdca43a295a68d9

SHA256
2c820519a758c471d09b24a8497561fe6a95517ba152cc004a72778df1c82d17

SHA512
62a14bfd9e94b78b0f7da06578c70017877b98b182e02fccb7789c05c6bee7eda995aeb2791818b757a1e2a9f06cb2bd64ba49027a5ca557734aadffbb360784

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7be6de6273b3bc5b3329b3f67191fc82

SHA1
8c8672044e954a229228600c2872bc486b29eeea

SHA256
ec468e76d2dece4cd1b84b113c9462c76c67daa7b5f737220a726782c3caefa8

SHA512
2017594310e1f61a77ee844362373538cb1670cbe7ebee2010746f011f31a1290ab6705ad38b044afc558ef175ead231e42ad4dc706bb6b3c5aeaf8ca101630d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e4fd6755d3ccd4927eb20ce96ee015da

SHA1
0fcd5487cdddc0ce35ce8740be9e61e71bcf129c

SHA256
b3e142080d82d204d34f9e52a237975ed0a2e803a0a35986333cb5d126715e07

SHA512
478149737ee08c0ad10de4931f6faf58cf43b3c74509fb33093b8695cefd25db17a40d09f3abba6e3b1818861d5c34b89eb20d17a736cbe9c7e9bcaa351533e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9de45334d45fbb0ffc785c2c1d7e2bdf

SHA1
78a52c9e9d0f65a0798487a8600e6eea9049689d

SHA256
29c654bd1f6c96d1450d2d64d02c3174fb96f6271b48217112c311a05aa4642c

SHA512
e1d656e77b1d872df9aa97fdf2f607b5d8e0e6685a698f03717809b652d022f7b093766d9768772fde545e63b47964d5ed6226c0507ea5e2cbce3414357485c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
ea17ed71425f73b72f82a24a07175386

SHA1
791c37211dd7eb2074562d43feac5730c8cf85b8

SHA256
2bbb9e58cfa0cc99b495622352a749153bec027d6734347cb524b7059fbdd093

SHA512
181c964d529dba81856b860df5dc1d8bc3c9f89695528bc646c97ef00888934477fde4c9180885d5319fec722a98c2791b3d48f7ea2ef81a7d3e12e49e5fdeea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit