hxxps://go[.]trustradius[.]com/rs/827-FOI-687/images/TrustRadius-2023-B2B-Buying-Disconnect[.]pdf

Analysis

max time kernel
30s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 14:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://go.trustradius.com/rs/827-FOI-687/images/TrustRadius-2023-B2B-Buying-Disconnect.pdf

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133313977603894916"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 4344	1648	chrome.exe	84
PID 1648 wrote to memory of 4344	1648	chrome.exe	84
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 3908	1648	chrome.exe	85
PID 1648 wrote to memory of 208	1648	chrome.exe	86
PID 1648 wrote to memory of 208	1648	chrome.exe	86
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87
PID 1648 wrote to memory of 5068	1648	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://go.trustradius.com/rs/827-FOI-687/images/TrustRadius-2023-B2B-Buying-Disconnect.pdf
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc04d69758,0x7ffc04d69768,0x7ffc04d69778
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:2
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1244 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --pdf-renderer --disable-gpu-compositing --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4764 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1884,i,2890838241542273604,10465653149057877370,131072 /prefetch:8
  2⤵
  PID:2004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f71e8fb81b0f15cb7fd198bd2120185d

SHA1
1b7796f635f7b9979b352092e96562cdc5eb64a7

SHA256
4ec256840c88116c6d476e3ba5cf103374f1afc59bd7c5e534beafb57c27833d

SHA512
c126aa0bb2946fbdf3ef91e3172a431ee06191b9e4c2664cc952ee06db6e851ddfb9006b849ab9632ef73f84ba0f513f82435c47fa16d06cf6f7538ff7ca4900

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
f3eab8f3fe4c58ea773f2cb1b0ecc7ae

SHA1
8870d834dc03f248c5fce515fdc80ee7c29e2b69

SHA256
0c906922219e7889fef47a6806c575fee9bfe4de28a3e46d24bf37c43b647fcc

SHA512
83227d7a02b6aabb179560e6e96374a3bb70d9422630649edf3055fca97e2774ef64a71ff2196c98e7895ab2d3de602da8efcbbd645bbf66abeec813a15df2e5

Download Submit