hxxps://cloud-sender-email[.]com/27232-205336/109004?uid=FanwD6mvekcPEWazM2kVPck25QZEEnm&prom_type=regular&prom_id=220008&pld=26L81sNgpwNGbf&answer=1

Analysis

max time kernel
28s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cloud-sender-email.com/27232-205336/109004?uid=FanwD6mvekcPEWazM2kVPck25QZEEnm&prom_type=regular&prom_id=220008&pld=26L81sNgpwNGbf&answer=1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133338168662633232"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2932	chrome.exe
2932	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeCreatePagefilePrivilege	2932	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4236	2932	chrome.exe	86
PID 2932 wrote to memory of 4236	2932	chrome.exe	86
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 2088	2932	chrome.exe	89
PID 2932 wrote to memory of 392	2932	chrome.exe	90
PID 2932 wrote to memory of 392	2932	chrome.exe	90
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91
PID 2932 wrote to memory of 4820	2932	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cloud-sender-email.com/27232-205336/109004?uid=FanwD6mvekcPEWazM2kVPck25QZEEnm&prom_type=regular&prom_id=220008&pld=26L81sNgpwNGbf&answer=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe0ba9758,0x7ffbe0ba9768,0x7ffbe0ba9778
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:8
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5452 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1764 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5900 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1888,i,8845945656412876707,8414337295885528624,131072 /prefetch:8
  2⤵
  PID:3116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
41458c7a137f84e35cb90c490bcd6a91

SHA1
2e9639d80637e359c9e96e56a5782ec0117c3c9e

SHA256
0cc6a43d9a2cad628d64086e1ea3760a0304825610ce67786e1ac5d57c66facc

SHA512
2c28e0aba9fdcbd160be011dc107a7054bdfabfd0c2ace5e4f3c1cf2af28e417c1ea4ea152edc25a699a25e1a348bbc72840d20b8a1b0d62139d693ffe745be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
73ac8bd2c30a4ce68ac6d6a616268e75

SHA1
e3e89d1b176dabe5556b01ea19ce1b2114c273a1

SHA256
96c7901faa55a50fc022ad8e1ef493f744199813a04d16d54a755bb1c68c754a

SHA512
4313490bdf2115f56ab17bbe4404b1786011d3c75afadb4553f2933798d5260313177379fa2a38d0fbadd375b944681fee8cf3674019dbed02d0b239b6d28e14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a3633959c8281d7954ad3a60f2af0c74

SHA1
28ec72ed1d238323edade35d6674d9e6e111442e

SHA256
814c101a6cbd495070e02b4847ed3ccb822fccb67acea4e8f28349cb6f8b6f1f

SHA512
031ae348bdbd5926f7e28a8b595fde3e4519d3daeee39a462982babd5856f9a2a7380b25d2418a8e77d4f75562a77aaa23e5642f2060d127edba76ec1b8d34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
ee10d1bf391e5699c65abcbf90a61008

SHA1
9b6afdc1d1bdfbc27c8eb975c173a238a99f2bf9

SHA256
b2692393f5a20a370ccc21e8a4c13f306f0ac587ae5009c102c5af43c231d222

SHA512
efb5512c847ff408a36b409406084f6396d0154c16fe30b7a53b2a5aa43c4e709f41a025bb27b50df0d4dac52a22d18c58dae1927031b08495ca5d7cbbf0ffbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
54b1da575699d5a398e2c05fcd137f86

SHA1
6728b0b92ad1428850b9612b9f11b4c15d797bf6

SHA256
813d354db5d3d5008cadcca0e95baaacb7b606d5a1636e2be2d0f034bc617773

SHA512
f9017d38b6b9103869fe68c79d83750c8bcaffb09b383f303fc196e5ecac70fef8cea0193f80ccea552100a17fe07db2660090bb9642c79b80294b499ef5469b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\fr-identity-breach-report-2023.pdf.crdownload

Filesize
1.3MB

MD5
5d4e2dab2dcd6aec782845e53598b3d1

SHA1
4e76d79fb69f1c53863aff3478a7e7ac17dfb1a8

SHA256
0a6195bb170797ad2762470173705831d8eeb7180d2a7a0ec51f970e42ebecf3

SHA512
89c7d952f37397bdf6df3c27c9c54c66137c5e9e6e5d2cf3bfa6b309590286723e7bab7053a3a31135e5db726c62853b34760df491af175b857c32b6cdd53f33

Download Submit