hxxps://beplb08[.]alight[.]com/emailviewupdate/email?ID=108E8E22B09A48EFDF7F390D859C00A15B0A5708DF8E8376C2A8779BBF5438B111A3B1D294B79EFE254B6F3A3400D4A3

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://beplb08.alight.com/emailviewupdate/email?ID=108E8E22B09A48EFDF7F390D859C00A15B0A5708DF8E8376C2A8779BBF5438B111A3B1D294B79EFE254B6F3A3400D4A3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133328399143837750"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
1896	chrome.exe
1896	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3476	5104	chrome.exe	84
PID 5104 wrote to memory of 3476	5104	chrome.exe	84
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 3832	5104	chrome.exe	86
PID 5104 wrote to memory of 1320	5104	chrome.exe	87
PID 5104 wrote to memory of 1320	5104	chrome.exe	87
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88
PID 5104 wrote to memory of 4632	5104	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://beplb08.alight.com/emailviewupdate/email?ID=108E8E22B09A48EFDF7F390D859C00A15B0A5708DF8E8376C2A8779BBF5438B111A3B1D294B79EFE254B6F3A3400D4A3
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdafc39758,0x7ffdafc39768,0x7ffdafc39778
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:2
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4580 --field-trial-handle=1812,i,117284050643646339,12057463903841372612,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
764cf354e3ef08eabfd463bf91a01de5

SHA1
02d78047f7379c4a2fb05d0960957d270329968a

SHA256
fd744311c273ab38662c236fe4255e30ca17ee907fffc830dd34f8bb4fabd23d

SHA512
d8235f27e7d732b72d4a92193bb643080818540d68194f327d5100b51ec957e7952369b0a6366f1dbccaf076be69d7194643890469e4d2d4f82c4c1887122ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
1b2f8549fa60b662a7d4d964e894aefd

SHA1
30d04487d987553b9a1f1d852c26cda42dc9d0e3

SHA256
b01055627f2b2f672cac2772e907263184b8b357c83c69a3be3c83834f72491a

SHA512
1bfc6ac244724e6608f74f4be8b7c4822d24f67534ddea3623b3e15360d144194bd30a8cea3cfc0936302b13e617288215189ce4e162cfa6b9c65f89c8a2fcf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
721cd4b1ccf33b5085f44672e6998d8a

SHA1
03cd3590a105f1265d7d7575d159b6d487884e73

SHA256
a28e5a772b5a0d54e98d0e7b14f091c09d3f2e3e260bae88ff77b4270b877ebf

SHA512
12d681d027f28af7f726edaba2f91996b55a6fee89383432b0e6c32c409e4bf56e3efa217598325466634245d53405ad2d83d86c857b3888199c80e26ddd2ec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8242fa9c43d5ec0f1db66871b0c1289e

SHA1
5d6c6445aa36a5f3f0761206a2d4d8ea71d1b9ff

SHA256
fdf4742773a3b6c8ef853aeef071f8de3213cbe99afae57af2e8d7de83728b3d

SHA512
ec20f39c87da547503dc88438cb7c334e3828264d14a946bc34f18afcd811987837677f1bac80580a29ca849bf4450edfb4849920e2d33bd07e004073297eae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
927d0f62500559c1e0ff68c7e2251460

SHA1
f755a275e77eaf9fb7e8b34be40162def038d142

SHA256
acea6008859f30772498bb6b5d48ba009709d013f153bf2b2a50c16cc586e4e7

SHA512
0f9b8896a9c2df88a23259b5411e3312f7b513aa9f2fdfdf32190cf0f2b17b73f02ae455f318103e979ada2a3529e6766e031d2cf5f45d82a31dbf355e0528d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6c78300ea79e20905b3559b22379226d

SHA1
99f4bc68562e026da09fcadf73b6a6b7d8a76ef5

SHA256
740a90a45bf755c794d91a8c23f9332f2237ed08773fcab6034d153e4f255259

SHA512
7a04cd8426fc614da69018a4696332e5005ec30dd72252b1ea3766a05cf1a632999d74ea075eb7cb249981bc73805afe277cde261fc09520e234a384d1061558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
edc4e37c7a1df303ff226def40ed59dd

SHA1
473b4b1c9a7629795499bdcbdb2c1f07ffbe4e68

SHA256
174c0621f17c5b7266761e83c2a7197a96d71256b7d5b8e403e6143356bfa4ac

SHA512
8a1151e048e0818f4dc02156a91b83864d3c9037613237a588c9073453b7cdaeee9ada0028bcff24ce36a5cbb8e3ec0e19a69e9c8ca703a732a7aebfc9826d5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit