hxxps://info[.]notion[.]so/events/notion-cafe-paris

Analysis

max time kernel
30s
max time network
28s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
30-05-2023 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://info.notion.so/events/notion-cafe-paris

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133299425527645941"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4532	4456	chrome.exe	66
PID 4456 wrote to memory of 4532	4456	chrome.exe	66
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3884	4456	chrome.exe	68
PID 4456 wrote to memory of 3756	4456	chrome.exe	69
PID 4456 wrote to memory of 3756	4456	chrome.exe	69
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70
PID 4456 wrote to memory of 3668	4456	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://info.notion.so/events/notion-cafe-paris
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xa8,0x7ff8a9119758,0x7ff8a9119768,0x7ff8a9119778
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:2
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1368 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4456 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4436 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1916,i,17401777641446377188,6413522224959597132,131072 /prefetch:8
  2⤵
  PID:3232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9932ae10-51ac-46b4-bad1-ae4f7beeea64.tmp

Filesize
155KB

MD5
95784635f6216d85b75439a534960ece

SHA1
058b1094525d1dbceefd3d180b102c96c3597757

SHA256
898cbed9eb0f99df25b6192aaa5df1d5e63e18159d26a0a68674ab4b160cdb59

SHA512
66ec70ac0d8f7ce2b0d49ef03219b1339b13ef84066178d7ac73a395dc8343d747e7e0ac4722a9648f2cf2d8b5d74920576afc785f6c31e32c25a07904701461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
82fa2f995d322a4efe0bfe4a73c027b2

SHA1
4fadd0200480a8a583adb48d1f8ebbcaf2147eaa

SHA256
9deb254e93455f0ee7b8a2db141e114903cd3e50ff0e717df8ee38a23705d182

SHA512
bc7c261508cc17446b61b27cab124d95013a3da714495d6b864ae4112b58f6380f861c9ef832bf8182d45b2d7c33c1cf46ce2c72d3bac20f20a6f4dfe788618d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cf6847b8a20ab0b9a808c7fc1280156a

SHA1
9856a02474b9210d32a4359d5e28afe9290e5adb

SHA256
082c9923f885597548fc018490a70f69921f39997f4400ac1aee3a58c10121f9

SHA512
b1ffef3567c00be8e4cda52f6228bcbe6dd7c33f11c7a47b67e339185be056ea358278e75ba31677703275137f935a24a99f4216681dda6936d56cc7dc4c654a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3ab861cfe9dac0e8a33e2eb1321a70a5

SHA1
414392bf9736f81edc8bbbdf0adcee4aec23e08f

SHA256
db0d6f500f89da7ab037d49ff028be1d0d64907e7cc375159b78054d468c12e2

SHA512
50da51dbb393267c4f2e60800f192b5996b10c8c546f8ce1d0150249493ff1a5a637f400913e0f77953e131bfae224116f40c6d117404c0210b5aa408387bb87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
89ceba233b94d67063d7fae1c300f72e

SHA1
bc83676eb6449ba256494567152408090423caad

SHA256
99efc0f9c5330d344bed6610d75c80ef42d33b839f6aae5fb5f31e3d35e705d2

SHA512
d30dd54455844eab3cd4dfc85d837a9be21db95f5521ff5b7ebe5bcbe58dbd4e145531e6b4ad8db0f3a2e949c7b59009691682241b281c06b4ec8b1e4042fbd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit