hxxps://chipotle[.]app[.]link/?$3p=e_et&$fallback_url=hxxps://shubhakarahospital[.]com/p/Tenaska/lcarlson@tenaska[.]com

Resubmissions

17/07/2023, 16:42

230717-t7sbxaec31 1

17/07/2023, 16:39

230717-t563aaec2t 1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://chipotle.app.link/?$3p=e_et&$fallback_url=https://shubhakarahospital.com/p/Tenaska/[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133340857682006349"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 212	3308	chrome.exe	83
PID 3308 wrote to memory of 212	3308	chrome.exe	83
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 2932	3308	chrome.exe	87
PID 3308 wrote to memory of 4828	3308	chrome.exe	85
PID 3308 wrote to memory of 4828	3308	chrome.exe	85
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86
PID 3308 wrote to memory of 2300	3308	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://chipotle.app.link/?$3p=e_et&$fallback_url=https://shubhakarahospital.com/p/Tenaska/[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff375d9758,0x7fff375d9768,0x7fff375d9778
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:2
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4828 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4856 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 --field-trial-handle=1860,i,6235555677055447015,4860102947864537399,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
8c62c1cd40a6c6e5f8591ea81b3524a5

SHA1
91c74ecfa4886b5164d819a51e2343c814cb1c95

SHA256
920ab82893da8b11c83d93051ac30eac951cff58b1898b2588a1728028f907a4

SHA512
e07267e5c839a061af73516b1b2d91ee8cd54955422b8b98971080b46961c53e125ce65bcaee50ef71f1038d217f4a2017004e3ede12cd1c73a376fa3d3ae420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6bafa662f2213eb794024141179a45c4

SHA1
9415cf0bf5f0b1288ee4c7af05fe1f0a84d2bb3a

SHA256
15ca95eff11a95a57b42fcb7ecd430732c7800fee6ccf585091b26dc0ae9fd17

SHA512
3bf6ce05bc0d0b833a2c002d97ed95ce287467310b58baa10a9dcfafdc619a550b8022d7d9bd4be5794a25b4db95c6b59809c14706036364752067c484d7feaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
43998a6abe4fdcb759973fdfe661ffac

SHA1
b7438c2e2e13f01969a1336be0dfe2945b7cf169

SHA256
7b5ad935647132f8716953255484f178cdf726c38dd946e45af390e32d480c39

SHA512
a4e883146317a220f94e7b5013a6e304c76d87620723752321f7efc1cb15e138b33442fcf2a29b0f0baa3fa48fdb9fe3abd6e43e4e0e5774475ce190137b9fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
af37a8886dcad700a3594b828728ae7e

SHA1
d668256826ad096e588d0ffa36c98813ae15606f

SHA256
49818cd37848bc5ec9e524e81e06efdd600db97b9e8e26ad90f33c59ffffaca4

SHA512
f921af1e0611dc41501bb20234278cf8c36cc2a43ddbd74171337eb72bfef93d18e5f5fbc1c1fcd99e8d76722699263c5d59774de477cf2ae69989e3f85622e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e38f47026c9999c2f6508cedc40880b1

SHA1
c685c8520d604269b6d83955696d8670042f8dfc

SHA256
27a03821459bdd82be92552ca1915ad5339f4d3d2a54283000713ae4ce6c0fb3

SHA512
e443a5fc7c040b4041fd877ba22fcacb6545a7fe96a687c115c6f1367ec082e2f57ed908b9e866a34297f0c89febc6c642b417d26e0a1489d82c0981d5bfef69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
80367d12a5c800948b15d3269daca197

SHA1
0998973be189381192958556c6165b69bb4b5495

SHA256
de893ca94eba80033f802b3f201da8050d181378405f0414d18e8fad4ae2aa32

SHA512
bc920c2ca3114236dde3eb402eef71501ce0abc248cf9c80e982b86c56dab13cd7f7fd57f74153e17ce378624dc6aad770b9c288248c1c94ddc249ea5d73974f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit