hxxps://psegdev[.]appiancloud[.]com/suite/sites/onboarding-home/page/home

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://psegdev.appiancloud.com/suite/sites/onboarding-home/page/home

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133331414163051267"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
4788	chrome.exe
4788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2624	5064	chrome.exe	83
PID 5064 wrote to memory of 2624	5064	chrome.exe	83
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 1152	5064	chrome.exe	86
PID 5064 wrote to memory of 956	5064	chrome.exe	87
PID 5064 wrote to memory of 956	5064	chrome.exe	87
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88
PID 5064 wrote to memory of 2768	5064	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://psegdev.appiancloud.com/suite/sites/onboarding-home/page/home
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7d549758,0x7ffd7d549768,0x7ffd7d549778
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:2
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 --field-trial-handle=1892,i,2748987155582617878,8834935274784314596,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
89832beaf159072f99f84be4af5c2208

SHA1
adc2805015144d7a4ebb07bcdec2e90eb7a7ba36

SHA256
4e75535ee3996c829942d01de50a4ff7770d52c21984af78a42348904fd9cb6e

SHA512
cd87af46f4bc5c7e17c55be039fe13e8062257d69f1341d733a2fdb89a3c6c52241efb4378a157f8b5af8ba5dcc824a5a7189f3d0151c8ad031b48eb181b17db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
442f75217aaabac9152d09e8842bfeae

SHA1
528b5d1cc0ba6e029b04d255af37c6814e932cd1

SHA256
7cb10987dd278192a421ff4a860133d06ec5be006a618490df5f941d94e5a4c8

SHA512
9113a3da7be91d834176e22297c767b3f58fd8d8d1815018ac481b31a5d29026d9c1a8c99ffb3074aa555690dac36da3f409f28497c835c9c328b9b973667917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d1da625284f2afd976174e6f5cac974f

SHA1
67738a836d744c8db9e32ad549e33234f2cfce8c

SHA256
e92f51b6b72fd32b0ff54a6be76e176eb19844a88e9fd84b52e33c32805a7a88

SHA512
09ca4f2e346b2433e5480cba9bacf6b56fbc1d9972609bd8ad79bf08c2dcff16fb9627fe6d89538a865bfa971a6cf1bf0ce1586a43feddd46b02fac12956345d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
38b973304e418b4cf23d7d5e235adfc9

SHA1
fbe2dc8b92576373d7e8810e8b3a84d675b3e987

SHA256
fc3372001178753451489931cebe5e89477dce2a385ea6ef31bf2fd0aa58ba36

SHA512
5a43d42fd94be254122861b38f72e8b2b667f497a70659d0a33da46e4abb4166d8182eaf407f876af650f64a97309564f84bd2926fdf9e5c06bcd1494a3c0e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
913b1b943ce5a8fd40813dee17a5e3ec

SHA1
0346995aac1ca8216d6c6e2200c99d913a06ef47

SHA256
52cee952f5a6b48326698924ee41929f16f109b45497865e215c8c0cd2119ad0

SHA512
ca22d3233b0301d245fd4355d4171cb60ad207f81045ae797806a27bc08bbbfd4eb38677f2643687618b3fcf4cb730677ee64c4d5d452406d8a05b38aa6f113a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit