hxxps://app[.]getresponse[.]com/click[.]html?x=a62b&lc=STEDXa&mc=J8&s=BMt5ZSW&u=ty6rp&z=EFApSzg&

Analysis

max time kernel
150s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12-06-2023 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://app.getresponse.com/click.html?x=a62b&lc=STEDXa&mc=J8&s=BMt5ZSW&u=ty6rp&z=EFApSzg&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133310794149470996"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe
Token: SeShutdownPrivilege	1012	chrome.exe
Token: SeCreatePagefilePrivilege	1012	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 508	1012	chrome.exe	66
PID 1012 wrote to memory of 508	1012	chrome.exe	66
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 1600	1012	chrome.exe	69
PID 1012 wrote to memory of 2148	1012	chrome.exe	68
PID 1012 wrote to memory of 2148	1012	chrome.exe	68
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70
PID 1012 wrote to memory of 4140	1012	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://app.getresponse.com/click.html?x=a62b&lc=STEDXa&mc=J8&s=BMt5ZSW&u=ty6rp&z=EFApSzg&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffb0d5c9758,0x7ffb0d5c9768,0x7ffb0d5c9778
  2⤵
  PID:508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1372 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2424 --field-trial-handle=1692,i,11604016775010270212,14646692000166025276,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5d78f5e7ba8da3a0ae804e281abd6b76

SHA1
823d272d26fb0bc3fd42cd5aee6c4072335f1999

SHA256
edf8092094051c398906ff93834f20d37dc5d4593244ac045de504516b2c3b41

SHA512
9e7373d01cf27dc43efdfee27a86c361b15c219c92bd267ce202851fe7b8189754b7c1521de915caa9ecb7a5a196adc2f1c6d3d747117315694cf7545c9e6ec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
6364876209c5e1b502d07d2bd1438975

SHA1
2a514c10e64ef06842bfd8757d772b1ac682ad3a

SHA256
8a630b230526fc85f0a49ac466d4fb872c340daec1622849b981ac1bffa19a3c

SHA512
a6a492a43ddf4119db306ffa7b2a4ef92c356a294e82b4e431743349a5ec4b509817bd62175539b1cf736d9f0858177f57be5ed1822fb629273294d9344208bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e01c36febca3d9469b1553990f9567e3

SHA1
be47525c6ac9d8bac56fae0f6ebfb04c77238ef9

SHA256
f0dc8bf208507d096154fd5250963a6e6fd450b19161be49d940189ff245013b

SHA512
060f7581be249fed67038605d18d2ec59a821ec2868927d67af99d27c9f0209c072c8394fc7ac2222083016453d98d7014e69aa1045f88c7c7217b0c98f0153e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bade51545a925058d1c4a333a8093a6f

SHA1
6b4bc779dbb788c42a713d45ab9e3fdd420bbad7

SHA256
4478a657f4afe65ec4b2f42cb0b1ce30d9c2f7f7501d0bb25a0f5df4f775db94

SHA512
5d199c7c45219651f5e618114c3754c930fd598bc3e4ddc2a370d619741bbf517de20ae07b6e6a7f620e2b185d81dc7918d7a8157f3cdb7bc1f255cf96eb3377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
96529e572246a5f7f50dae3e3d9a64f0

SHA1
723e6956661c30b78391fed725e1bf6788533a89

SHA256
da6cee62d263af1d04977e603dec9f28631d14aa1910739e96e675e56884a2e5

SHA512
74be490c60d810e342084c07743059f4277de5702c57730b1975c0c9d4693e64d7729d50cb34b8940fd4cc23e7c013e926a36ddb7db7d90cd934c5728788d031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
d318182ed309a0458de6b31966a01583

SHA1
d7a539c34cca6824bfdb820eb9a6db4909736a60

SHA256
0a3ccdd3f898a287c39cef35622d99a430efa2914f19d4e5d39ddd18e6541798

SHA512
d1ebfdecb792b2c3eb05f0e75cbf86033fbd9deaeb3afa40321c4a95ee934fc05772b2e138bc593657c611096ce2249d38d736b6d524a5a8034961d682a621c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit