hxxps://public-gbr[.]mkt[.]dynamics[.]com/api/orgs/724aa570-861a-ee11-a66b-6045bd0d2bad/r/cDfo0yT2j0uvPMfq60XDGAAAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fnhimall[.]in%252F%22%2C%22RedirectOptions%22%3A%7B%7D%7D&digest=agtuTGZnfjNX4Q%2BkMfx9QIBsbXnhRTtuI5EcRJ1w9PM%3D

Analysis

max time kernel
158s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://public-gbr.mkt.dynamics.com/api/orgs/724aa570-861a-ee11-a66b-6045bd0d2bad/r/cDfo0yT2j0uvPMfq60XDGAAAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fnhimall.in%252F%22%2C%22RedirectOptions%22%3A%7B%7D%7D&digest=agtuTGZnfjNX4Q%2BkMfx9QIBsbXnhRTtuI5EcRJ1w9PM%3D

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133335314920750477"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3152	chrome.exe
3152	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe
Token: SeShutdownPrivilege	3152	chrome.exe
Token: SeCreatePagefilePrivilege	3152	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4356	3152	chrome.exe	43
PID 3152 wrote to memory of 4356	3152	chrome.exe	43
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1912	3152	chrome.exe	87
PID 3152 wrote to memory of 1020	3152	chrome.exe	89
PID 3152 wrote to memory of 1020	3152	chrome.exe	89
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88
PID 3152 wrote to memory of 3008	3152	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://public-gbr.mkt.dynamics.com/api/orgs/724aa570-861a-ee11-a66b-6045bd0d2bad/r/cDfo0yT2j0uvPMfq60XDGAAAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fnhimall.in%252F%22%2C%22RedirectOptions%22%3A%7B%7D%7D&digest=agtuTGZnfjNX4Q%2BkMfx9QIBsbXnhRTtuI5EcRJ1w9PM%3D
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed01c9758,0x7ffed01c9768,0x7ffed01c9778
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4432 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2832 --field-trial-handle=1888,i,9674856844451087176,17375748221154353613,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d7a007f70c639b3eddaadd6b1d3219c5

SHA1
c6dc4b477a5b15e835320332d88ad822e373ce57

SHA256
6cde4a01cfe4dc52dbaccda829703673f7bc70518d25ec186b361749fc89d81e

SHA512
4cc964c08ae64055aaaf6cb501f6b274d176ba41ef1c2f50cb38ed8dd446ed4c2996f98cfd7bb8d55536ebe6d914695a554357ba2f6c0c0b8d4ed95b44cffda4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
4a395037cc5261893f1cabacd917dd6e

SHA1
c82291bc7f3eb4ca89abb729e6abe20ab544fb14

SHA256
c6dd2f3e9573d1dbd8743c5d9ed734546ab9f0f4582172a38464c236394e6125

SHA512
094272d22b129cc6c85a7b2d9f324b443b6f4b392cb78f2a0e3501675611bc5767da00c4e0241e2f7b201817da5b9b525e2217f9c43cad3507c7312b62d38a52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4461ac7e74b69d72eba16317488d3f8c

SHA1
cd109336db4e1d3dfaca5d126b2d897d4c166903

SHA256
3704cd8156dd40795717a35e7f2c71e3a222ac326ff163874005ff99d646853c

SHA512
c1f86d5bb447353b21ee11067daa53e94872c020fdf0348bbf441bddd9bb65776533b077f46dda71fd84cf1c3ebc8e3b549d014c850f1c497acb869b00860e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f137c207c240fcc84c13e2b26bd61f8c

SHA1
dc8a803da8e1eea37b1fb11bcc4d6dd2e36a1f90

SHA256
3b2725ba9c1802c2702d76e6623a00622585daa9baa9629be605e2f23f15da6c

SHA512
06606ce2561be592b84b74918e06c4374cbf86ac466ced008f6c20903bcd54307fdc214f4f213063a1fdac42c66482938a8ebe8b8e1123b27cda072c745f51d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
a63ddda8a67fe2e00e44dde3af718c97

SHA1
09ffb7b4aa1ec688732258571843a82eba0fb811

SHA256
c796ddb64ed8895e9ba9c95fb2472d0d0fe2f8c94fccbca8077189d0b3a6d14a

SHA512
6acc35e445e204cac9f45a6283407b979dd105ce156972fce75df586c5d329699ded877eec3000d05232393d2e5ac4b5f24b9f3e2f0e2899f5c995782685a8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit