hxxps://web1[.]zixmail[.]net/s/e?b=epmedcenter&m=ABDd1JMvzWbU9l52VitXrl6p&em=jgrasso%40wiggin%2ecom

Analysis

max time kernel
300s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://web1.zixmail.net/s/e?b=epmedcenter&m=ABDd1JMvzWbU9l52VitXrl6p&em=jgrasso%40wiggin%2ecom

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133335873207207715"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe
4144	chrome.exe
4144	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1656	4336	chrome.exe	68
PID 4336 wrote to memory of 1656	4336	chrome.exe	68
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 2484	4336	chrome.exe	88
PID 4336 wrote to memory of 1332	4336	chrome.exe	89
PID 4336 wrote to memory of 1332	4336	chrome.exe	89
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90
PID 4336 wrote to memory of 944	4336	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://web1.zixmail.net/s/e?b=epmedcenter&m=ABDd1JMvzWbU9l52VitXrl6p&em=jgrasso%40wiggin%2ecom
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff25ee9758,0x7fff25ee9768,0x7fff25ee9778
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:2
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 --field-trial-handle=1816,i,5679463191061342574,14851670319328145052,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e5f8ae25da9175da2c141b60331dd7fb

SHA1
cdd7c30ea7bb632989c5d3e1ef95ced77641d035

SHA256
2deb69761455a28d8571fd9f053951fa4bee6f38e693dbd4f1c008f08af15360

SHA512
6d8ff75bd2a7be6ebbc8b2065aa17773c1ac53541bcdd57e7ba3cf919e1a857a132e6bfdc306abdfd48d365a23e51a6bb934dba1508eca273b9a7321a4a807aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c0892c3d0a4e4ff850ead4bb204a26ec

SHA1
ff57d51f37d4cc91d0477e5ffbc1f5950a63cbd7

SHA256
ec7e3f80abbb3f11e5912578008bc5e3c918bd3913ce1119a8aba2c475f586e4

SHA512
6581998ff4961bafc3c64af9eb1e3b6c7b2bc81a737967cd689d460fcbd3bc90be824b0bf666c7a47fd1b7526b0f743fc7fafc3961f9ad74a5e23b5ab1f8d3b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b8a22a31e0b094168ccb301136b458d9

SHA1
2b4e378d98dbeec00d675374ac2c0e2a8bf3f770

SHA256
499d2ff1e10a36e262973458ffba870357a5e72c52cfdda2afe25cf025d67157

SHA512
bf483eb1b93ed83659523cbb5684f2c384cec3ce3d46dc6c838ad23dbf276b5603da3474387037457f71bea7bec218638db66169445b0778b47cba654deef524

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
183dc7a2513355edc990ea07b50315a1

SHA1
5a83523ff5bfe06da561db50d306db8ed311d41d

SHA256
3bb9b00370874790eef108ff44341a33c62691031b63c5576c0f574093af981c

SHA512
a4c6b53ca84e7075c6c01f1b2760352f92013cc549049adffe69f3e077db0970e1745c2939650f29da830f5a4224ba7c048198fea93c43178b4d425b95dbbe41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9bf86adba371018dabc1159d99fe847

SHA1
b00c32663d273ee4a4bc7c70fa1599a16e0649ad

SHA256
7e4655e2b73806a2facbb17642a524bea656b652435125ad2a57d0f967f73df9

SHA512
97a86cde97d0dd36af6d8f683bb8e2b58ab9a8cbd95a96c28ff57ee736ad6ac359f3836a7e39ef1b5265c548a4d48892003420d77f284945efc8146c1418c5f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c8063471b22fd08268e8672ec2a51e50

SHA1
5ca4d36d2cae636ac92e3d3b0b136bee5e68beb5

SHA256
1786eeebb698226cf1a6cec6c4a501aef0053e1173aefa4afadba2fd08834dbf

SHA512
74d4fb8c2cd365f25e6c67dda345ee3444186dc91c50845af2593a15d2e04ef37bc87fae1aa74689b4540b9b3f3adb1fadd2a2d45b596567906bfc0e09dbff99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
3f6f9f37a3961559d741ff1a37ff1560

SHA1
971ad16d5a857b8d4f948df3ef168d2df257f124

SHA256
fd3eccd0ae2c78a225ebda42cfbeaf829c98b2ec984ff02adb50316f2ee54117

SHA512
ef39be2a0b1e67e03d149d56959e8b6edf833329e625250f3a12449a91e31729a504c83bb59c974a9185c9f823299f2330f7b486506b09f07831bb1eadb103a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit