hxxp://ww25[.]zorgcampus[.]nlad[.]nl

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://ww25.zorgcampus.nlad.nl

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133353545432564742"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4128	4496	chrome.exe	84
PID 4496 wrote to memory of 4128	4496	chrome.exe	84
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 4472	4496	chrome.exe	87
PID 4496 wrote to memory of 2148	4496	chrome.exe	88
PID 4496 wrote to memory of 2148	4496	chrome.exe	88
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89
PID 4496 wrote to memory of 1180	4496	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://ww25.zorgcampus.nlad.nl
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9a8d9758,0x7fff9a8d9768,0x7fff9a8d9778
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4536 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3288 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4592 --field-trial-handle=1896,i,12230929031733381646,14533084201497779155,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a942a9a3833e85d790d3694fb223c9c5

SHA1
9b5da1ba924012b37fb152952c3a4727d3adefc0

SHA256
7ba44b8970d6d3c8c4d7977ed5ba8a161b60b3586ea72ace4b20c62d01ab2dd0

SHA512
994747a587bd441b9c1a5c00a6f8cf93494a09f25906a6d93acf2fce0873266f7c5860da2dbd118b64a52a3f4c6ca1572d36b55fe45d60a923111879c1bb8b05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d1eebcd2748453db013aa7115710d40a

SHA1
6075a328ef5ff56b0a53d0d5f6defc232c4cb778

SHA256
c9ea77e90adf36105931db8b088bc08b0abd39d4f77bff86f2d74056027ac8eb

SHA512
1b2559c890de62eb7d6845cec7e4d9624f094385d60ce337e8f5c1647cdd491aabf302b1250ccea0d798b47ab9ac1a161fd385c70ad9ba93becf75140b58947f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ddb0fde9f99861176f05b346cea40e21

SHA1
16c3c1cd92860b1f9fc4c36165fe7ffbda6cbcf0

SHA256
2ba4c5a2ba1276dc93f32764a07bf8401c69d452a7f9de1e754af3dc67e07033

SHA512
4d0d7cc8e1d74ff204d13be3ccd1d973f61053fae227e03fa2cd33819e7cd3480705ceb92d467185e1b64df1bd413f10d2d14a50f2ddfed2b2a584adb0fd8485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
569bcd65d2e719c7405a01dd4258a6b2

SHA1
eabb7e94be21858c612aa5a2a8fdf57387bd7697

SHA256
dd4ea68a0c1fc024bfc919cf1788fa8de74b87076bd95c4a24e344229abc524b

SHA512
5449012021130982798b376fa78e815e4bac2ee457e43fde71791c9de68be78c1c532ae2dd70510fe9e1ab411a8d7c29dc98e1ef5f2f55215e209c4c69b550bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f96aa84583110c6ee4221e2b2caead4f

SHA1
249ce6fd66aa32e56785eabaa783bebcb094484a

SHA256
e00f92edafc5c3eaca047aa3fb61bae22acee394194fa1c08da3b5e28644fd67

SHA512
c47a22b865c159600b00844fd4c4ce97de5855e7d0ada986d5bcf561a38c4c9e7981d2ad06aa3064cb786778f7bac4157ede1f2a13e29a346592564697a42dea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
f9ffb8071d72ae5c4ac309e9915188cb

SHA1
97897ca0a40bba461492a320290f91b6a7399b91

SHA256
7a3fd9edfaa2022c44958054b322f8bf2f9818e3931fbc06c43c6ea14c0597bb

SHA512
a90b9fe2319132e94b763a14bdd8b157370c47d4741938f568d86d3519d21c6c7f18702236358eb74241a49dbc382aa0d78124459b0b690dcbcf1f62c27bdde4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit