hxxp://customerportal[.]admirallaw[.]co[.]uk

Analysis

max time kernel
299s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2023, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://customerportal.admirallaw.co.uk

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133328647943513683"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
1256	chrome.exe
1256	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4208	4064	chrome.exe	84
PID 4064 wrote to memory of 4208	4064	chrome.exe	84
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 1724	4064	chrome.exe	85
PID 4064 wrote to memory of 2384	4064	chrome.exe	86
PID 4064 wrote to memory of 2384	4064	chrome.exe	86
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87
PID 4064 wrote to memory of 3260	4064	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://customerportal.admirallaw.co.uk
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99789758,0x7ffa99789768,0x7ffa99789778
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:2
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4736 --field-trial-handle=1824,i,16038387549956393653,1030424888214933240,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
edacebd0ad4aa36384194fea158545e2

SHA1
5d53ee4b37ddf127d37d714a713c93d29307e181

SHA256
d28969e8c56deee05e2dc70b2e21ea14449e6fa3decace753586212858459a3c

SHA512
bb81416c3bea5f0c1b233e22e1a790035c6d4ba5024e3b4d287f6e6c92580b3e58e57fbfbd5140d34c70acafd1f9e60727800f9ee1352b13d746d5b0df2b89bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8c4452324b5a7937c8d3a8306925af13

SHA1
d0b766f34e5895520d40f4dc3b5098366b3362d9

SHA256
fde110fb869705627284dabd13259d44d75a08d7eef322bea6feb638e127e4aa

SHA512
640a3f330c8ddadd5761b0a13308b9fa38dfdad4da5c8dba853e83677ce0703d2ad7d0e5be049f1ed9349d453c15e305b5291d22e789202e272d6302226da434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
53d04e683c11cfee8e46315f038095c7

SHA1
7aa1ecbaae69a0de7485e3393e55a7c5aa56c864

SHA256
16d8c1383395ab268c1483e5e26c73724d3479f1ba8d153bc051a8a0fa16b5e8

SHA512
4915238b34299c6d8bc087a4a9f4e4b1a4d887e1ad658089926ad81ebdfae7ac696d77b1c61ab6287f549b67ca6b4b7e727c34e4943818bab1db581860486a95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
9e86fa94b3ebda836b5c862a4dabbc64

SHA1
42964c9ce546385a25c0eaf6413adf298c7d9d02

SHA256
6411a515bde62afe702d9534272769a679f711b6eb812384266fe0ead30edc0c

SHA512
52f4a94cb6bb2c4a26144d6d9af46b5405410f2dfbdd81339896c2c893e4b206cd07568f86d21f2237bd36b3ee07738dd5491409c04e9516d256dc16e938c47f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
31183c93436a49f5e06dd866bff3ffa9

SHA1
765b42d9070e2beffee4c1299b35c5f07c5d8c53

SHA256
1150fa03638abae70689ec7716b080eb6739db1a8a6a1ebbcf1be44374afda09

SHA512
b1f0f8b00195e1e0b0e80e332245dfb9f9287d0444ec090e108aaa2a3c8bd574e3ade2ec61ba70409aa6dce243ae948959dfb8f67e5652ef86808337b502d264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
88KB

MD5
014837fb2de0a36321da851bc58141e6

SHA1
184883f2ffd425a00e6a8d02cf8a1ccba38bb96a

SHA256
494cf34d39ead0508e5f32680980dd77732cba2847355891f4a51a704b175389

SHA512
7a60fb0ff58379dbf758e22cc639be8dc0a46814bfe7214a66ca457446a1d121d9af38cc1aa338b70672c4dc720e4c9d7431fa0207284bb6bf089786d1b6408b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit