hxxps://protect-eu[.]mimecast[.]com/s/emZjC9Q6Jck5WXR5foe2Sc/

Analysis

max time kernel
158s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2023 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protect-eu.mimecast.com/s/emZjC9Q6Jck5WXR5foe2Sc/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133341886935431807"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
2748	chrome.exe
2748	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4396	4624	chrome.exe	86
PID 4624 wrote to memory of 4396	4624	chrome.exe	86
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 1772	4624	chrome.exe	88
PID 4624 wrote to memory of 2864	4624	chrome.exe	89
PID 4624 wrote to memory of 2864	4624	chrome.exe	89
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90
PID 4624 wrote to memory of 4840	4624	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://protect-eu.mimecast.com/s/emZjC9Q6Jck5WXR5foe2Sc/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0fd99758,0x7ffb0fd99768,0x7ffb0fd99778
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=312 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:2
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3508 --field-trial-handle=1708,i,13166461715000483080,159280323458128706,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2e96fa6d6acbf7db699c069038fee251

SHA1
df928627dd690e09e0ea61b37da8df5041a06b65

SHA256
1a458e399a620b9ecf797d0e0be4701fb77464b482bebbd2a4f24a63d5111872

SHA512
d39345279a0bf87f9e291a9d983527449a51408ba00c4b892bf79367ed0ecb907cf9e107f76f532930db3813eb64f50915ed232402d678b4396fa34478ec374a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
de5698a126d769cd258a4be7eb9fb757

SHA1
bdc326a4838120f42cb2699fc6760fee72311309

SHA256
344d12142e6e64b6a88cfd08ab79312f489839bb7a93c28ddaa912c551edfc95

SHA512
27098ba611a66830bd826142cd8718da59e5b10741730bc43a1ca7280929ffa2ad97bc96f975d86316b41084732e3e89fd273bc8d3f106d8e04b8faf13138be0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
066f76045741de6e3739726a8f761633

SHA1
c9272dfa80f42f618d6d0ae212db95aee54e7c2d

SHA256
ceef05ecf7dc641a422c2c124fe0fcc41e502862c2e664bda5a924fa0913e9b4

SHA512
5b87d9efea360bceb7e2ba3c74eee264ff6817da1b58c75c0d79b94419d937d703273b9cc812203bc4bc6f82d4598c1ceb99caa4f09542e23d5db99aefe51667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2c519419aed875b85bf9c0dfd3b18f45

SHA1
0e63623673f35bc4692a9709a723afaaa9aac34a

SHA256
4cf3568149d21e6fea630c783aea0d8c81cfcd5e15a2f789e52ca7d1a4898d73

SHA512
d8f4b0799d9a0caacd268f7d1923c4718ba0ad1d9fca587aa54accbc4b5152f49cc34ac8cf969b8fab7c10b0ff2c235f2de5333cd710b6c161277b0db0b8bf0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
dc30a6199b560c44f1deb9f22cf6cdea

SHA1
5d5e2fe9efc375de9b3524cfe6968ad5f6e097fc

SHA256
af33be34dcf0cd87a5ee5c013e1c8dbabc0b5c14bca89500270bd6f9aec387dd

SHA512
2d1b1cbf306b07af44e261d98fc684f8f22ac4816efd09e44ab502e1adca6015bbd685fa08141388f9511fa3e2f80ef16a0a454c17890c19a0dc472a1d062ae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit