hxxps://wintrust[.]mentorcliq[.]com/quickcliq/YzcwYmFhYmRhMmI0NjkzONQpxopgvQuzZ9ICXFjBEMgO0rRzg1qylXB4DZnyBXXm6VCEL0pY-jkXXqkuFdrKLBkNCeLOIUunvRvRNqZrXLUWUsAVZajyniWEFmXGcPiF

Analysis

max time kernel
1200s
max time network
1199s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2023, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wintrust.mentorcliq.com/quickcliq/YzcwYmFhYmRhMmI0NjkzONQpxopgvQuzZ9ICXFjBEMgO0rRzg1qylXB4DZnyBXXm6VCEL0pY-jkXXqkuFdrKLBkNCeLOIUunvRvRNqZrXLUWUsAVZajyniWEFmXGcPiF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
2316	chrome.exe
2316	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3008	3600	chrome.exe	22
PID 3600 wrote to memory of 3008	3600	chrome.exe	22
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 2144	3600	chrome.exe	85
PID 3600 wrote to memory of 5056	3600	chrome.exe	86
PID 3600 wrote to memory of 5056	3600	chrome.exe	86
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87
PID 3600 wrote to memory of 1208	3600	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://wintrust.mentorcliq.com/quickcliq/YzcwYmFhYmRhMmI0NjkzONQpxopgvQuzZ9ICXFjBEMgO0rRzg1qylXB4DZnyBXXm6VCEL0pY-jkXXqkuFdrKLBkNCeLOIUunvRvRNqZrXLUWUsAVZajyniWEFmXGcPiF
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9683c9758,0x7ff9683c9768,0x7ff9683c9778
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=900 --field-trial-handle=1900,i,16862638342851056840,3772591308032994109,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
a8e0f03bed604cacaea66a22c2ba873d

SHA1
e9218a03f820f8b991c0828cd671e0ac1d7cdf71

SHA256
eebb1ff1091dfda985cc11893c04a34d29c6ec7c4e36ef48e1aed4a527e17642

SHA512
b452ec3ef9fee3e0d601e5a9e9d39d3ae98fc2a9ec5d521ed11f12512f3dcec4f1551b49dd3a6cf06b74031735f3db95e437155335c8e228c0c6cfb1b9ab7f75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ee7e4eb92eec4a54a67564d96c4f93d4

SHA1
bcfec987d5f91fe4ce4e6d67d16b02efc0efc1a6

SHA256
e01ac0a93d61d3368e61ed1bc14e9d731ee9b47452d08d645733b44eac23f733

SHA512
400efd5f01f76ae598a7390f0be8ec726f076ff04ba3ad8a44f0adab3718fe9577e60d055913f0038b88f5b1a6fcbcccc33ed0b57c8e80e893d9b1f42ec0e1b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c18badff547c10eda52db7b2dc964611

SHA1
d73787c70a7ce1b260208b8566c6ab64bed6d001

SHA256
8672a115d301387891a7c951c67df1177f4b3e2c383a152d1dee7dc48ec95783

SHA512
98ff4a5767a828117de5456c398458560089978647b60f078ced4e0db3d69af45cb7a84a8218de8758c29bb11a7502566b7858328d5b93269e0912a9f0daf3bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
174e3025b49a4d92b21c60554694a871

SHA1
6527947d7f88b446f6304e650d646b83fe8a4018

SHA256
c80263bf3ee9016d5da7f33690a3e30db585e9159c40718aff8401baecf18750

SHA512
181c98bf591149e3e85b635c88ace572735dae1b4b7ff061019bd4872ecdbb1a29a32b82c95c7ca6da2b8084fbfe9785bbbe32fbfdb989add1b7edc4393815c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
94aa3828ab6b7acb8f9ff87cd86b2867

SHA1
8df907968b189c6be48f3c12e40a61e9ee7d8ecb

SHA256
480df70c13cfc82d099f0059565a9009819f1d03d791d233300ddc44f801a95e

SHA512
8548ae5564b34d0e4a5ba0d28853760f3b49540ee486b8d8e635a726cceb56ec780ad52bb041c1af06a1cd9d9eaffa9c0b591e58aab2fe012856da95711357ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
78c1e9edc8d5ee8b47364ae2be367f12

SHA1
8dfc6c6d00d54b25785059d4916f8c126a6a4b10

SHA256
e6087232ca735936c695459a818f732cd1f238a8e442a1758b4f4e9e3fa32726

SHA512
1bd523520d4771cf0445534bcf8ea86bde2dc5e56078fd1ebf44b83fabf3f5e4baf979c0158c70f783351dc69224d6c13e43828c35904f13b815fd3d8c3a0eaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
2b3059679966c8c44b81167a19cd792b

SHA1
87acd0f6b32207b898ebad84a45c51691e131256

SHA256
ef229a05a23eb9098275b7d29509fb5d88070aed1cb04b1b1845fa6ba58493c3

SHA512
188f0538701ab3863eee27458ca2edc39605def7538018663e662c379a78489b339df9c199c0d7072de99d5ea552c9412e1a0283ca7a7b62a722d70282f8bd06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit