hxxps://trullion[.]chilipiper[.]com/book/me/giuliana-naccach?type=lease-accounting-demo-meeting1

General

Target

https://trullion.chilipiper.com/book/me/giuliana-naccach?type=lease-accounting-demo-meeting1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295824835137874"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3744 chrome.exe
3744 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3744 chrome.exe
3744 chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3744 wrote to memory of 1964	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 1964	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4328	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 5012	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 5012	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4408	3744	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://trullion.chilipiper.com/book/me/giuliana-naccach?type=lease-accounting-demo-meeting1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xb4,0x100,0x104,0xdc,0x108,0x7ffa27f79758,0x7ffa27f79768,0x7ffa27f79778
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:2
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:1
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:1
2⤵
PID:348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1796,i,5825912699572348118,11112712771301899632,131072 /prefetch:8
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
092460a45b954d8bd21888f210eb95be

SHA1
be4af5f5f79de1312bef8e1fd51d465f1ca2bb89

SHA256
1688369c65f460289ccb6f2affb962381095ab77e2b0db66983d84467fac4dee

SHA512
05dfaff7b657f598881f42e6b3ccb4d90bd4e940046318f48fe0ea8cce2734f6dd2d27323c9908f60cc88bb2d8a0ac8607d5e561fd61772a0e7ab11cafd8b19d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
409c0d83fc39635ac7cff8e2efb24e4a

SHA1
6fb3f5a1333b79414ff99cd6a8ed514aee08de6c

SHA256
4e066f2c92a6bd3f13f7737d1914461f444a57be8e9cd4c973ed8f371e1f715a

SHA512
2c9a22bef3ec58dcbb74c01f860a9ce3209bdf1b5ac657b584adf5839e1baccdb506587a9fbb09f21baca5dcce5706c9b36b67d048f39aa4de7fc6ae76a0d522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
c82e9da33cd2f620ff64335f36688b0c

SHA1
d769541ddc7c0d0ebfea29dc1be4d7245e7a4537

SHA256
44c6f6207ca9a4e44c5e01d93ae81dde941e0e2698fb3de6f59557a1e0ec496d

SHA512
57e0e2e0d68bb2a5ff0b3d51b68e61a9abf85d985b553dc2e56eb078747bba5475d4ce6da73a6f2b5390fc8c062122b4f8408b9b1aa38c5854ee6a7445f23124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
153KB

MD5
810203641cf53ad4d333e8bcc315f39a

SHA1
cd25e6232f6ef0cd337d34b5366e62886a4e1dcd

SHA256
8272aed70f1fe68933b2930e5458ee9ce2f417c5cee2364c6e95e3ea23696b38

SHA512
9c2881d3180b0d53041d1ff9c232e5ca2548b08ca4006603aad98fc979106d213670352cbdd9bf96f9c3abff859e2c3e263d23e345c35508a574fa2d9e7199b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3744_TSVHMMIVBBMRJGWO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads