hxxps://nam04[.]safelinks[.]protection[.]outlook[.]com/ap/w-59584e83/?url=https%3A%2F%2Fkdhbuilders-my[.]sharepoint[.]com%2F%3Aw%3A%2Fg%2Fpersonal%2Fbmccombs_kdhbuilders_net%2FETLO_lf-4GpIkaFowo9EYioBuXXxl46m3fzphpPTwHzoFQ%3Fe%3D4%253azjwcqt%26at%3D9&data=05%7C01%7Cbmccombs%40kdhbuilders[.]net%7Ca8fbb023b9704c981cf908db86f53423%7C965fa22390e14fa7a932334f1651e70c%7C0%7C0%7C638252159946780811%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xcDIGfDtYu19EH6BI%2F%2FfUoyjqX%2FRlFzO0Vz7C706FDg%3D&reserved=0

Analysis

max time kernel
15s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://nam04.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Fkdhbuilders-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Fbmccombs_kdhbuilders_net%2FETLO_lf-4GpIkaFowo9EYioBuXXxl46m3fzphpPTwHzoFQ%3Fe%3D4%253azjwcqt%26at%3D9&data=05%7C01%7Cbmccombs%40kdhbuilders.net%7Ca8fbb023b9704c981cf908db86f53423%7C965fa22390e14fa7a932334f1651e70c%7C0%7C0%7C638252159946780811%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xcDIGfDtYu19EH6BI%2F%2FfUoyjqX%2FRlFzO0Vz7C706FDg%3D&reserved=0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133341573385684499"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2136	5028	chrome.exe	53
PID 5028 wrote to memory of 2136	5028	chrome.exe	53
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2768	5028	chrome.exe	88
PID 5028 wrote to memory of 2488	5028	chrome.exe	90
PID 5028 wrote to memory of 2488	5028	chrome.exe	90
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89
PID 5028 wrote to memory of 4328	5028	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://nam04.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Fkdhbuilders-my.sharepoint.com%2F%3Aw%3A%2Fg%2Fpersonal%2Fbmccombs_kdhbuilders_net%2FETLO_lf-4GpIkaFowo9EYioBuXXxl46m3fzphpPTwHzoFQ%3Fe%3D4%253azjwcqt%26at%3D9&data=05%7C01%7Cbmccombs%40kdhbuilders.net%7Ca8fbb023b9704c981cf908db86f53423%7C965fa22390e14fa7a932334f1651e70c%7C0%7C0%7C638252159946780811%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xcDIGfDtYu19EH6BI%2F%2FfUoyjqX%2FRlFzO0Vz7C706FDg%3D&reserved=0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff859409758,0x7ff859409768,0x7ff859409778
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:2
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4716 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:1
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:8
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1920,i,3821164004208095724,465908781318436626,131072 /prefetch:8
  2⤵
  PID:4544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
7890d628d26914a6c39815d2b7c96350

SHA1
55f3c9f3e7c0526ce1cdb7defad947dfd115324c

SHA256
6239865c408089354c786f2746caa0fe6f8f752ca64085a0904c643545fdbe0c

SHA512
a832b24d596191fc33d82a06437cb7ef43ec9131f4bd686d650942167a599ccc1b4e0fc5945aab3633aa4a10416b1e5f1e0985bd265440dc049dc805071fa968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aadcc0a33fc2d0b135d0ac3bfc18ad95

SHA1
f71f3ca6c52fe2d27d6c323d1565039d421837c7

SHA256
e8fc370c0ac173dac1833baf474fbfd19d9f2a74a8946e0e40de78447a7d42ca

SHA512
86f4cd1587933b0fdd8cfdfbe7a2e6b3f6e296c6d474ef9cf5a6d5bb8349f0181a8159fc66b5a3041683a9f6491e6bf407e7409fc05e7b3e7cf13ce362a16ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
47ac97c5cd4a062c9782620aa2925d69

SHA1
52ade82926f86cef26cb7e8a0494ef94d0b5488a

SHA256
7fbd92e178c48725406ce05749182734688e5444414e490e25f8c28572b728fc

SHA512
21e93e04ad03d630abcc35eb74aba0069580ee01f895828fcac653063a49d3ba7d8f644d9ba28fcd91b2085a638b81cdf04f7fbf029a9be524889fa74e1c6a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
8aea310898e71e21951550fa99c46871

SHA1
b59ea52ecac957a8eccd5914ea8bb7141da62425

SHA256
6185d4b6b8ea94006d041696fe0d9ef014995a5c8e0a8aad206eec4a51fe202f

SHA512
818adf3db30ee24ed73cbaf31de62009fee9f5c2acce40eac5d5f9607d24a0eb7f2da030aa1236077d07f84fbcef83a7f1ef2b6a7a4b3644cebea0c1aff49d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit