hxxps://northwellhealth[.]modernhire[.]com/hm/scheduling/calendarentry[.]aspx?email=Aciaravino%40northwell[.]edu&h_email=m9CVdkhO%2fZJNmCt52GCygcHCI4ldoSHK0FBZRaOfjoOGZ8wRX5hNcWwKpcGZ%2bevZOlyj6p%2biNiUPUOndY9g3BA%3d%3d

Analysis

max time kernel
34s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://northwellhealth.modernhire.com/hm/scheduling/calendarentry.aspx?email=Aciaravino%40northwell.edu&h_email=m9CVdkhO%2fZJNmCt52GCygcHCI4ldoSHK0FBZRaOfjoOGZ8wRX5hNcWwKpcGZ%2bevZOlyj6p%2biNiUPUOndY9g3BA%3d%3d

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133356404146643747"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	chrome.exe
544	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
544	chrome.exe
544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeCreatePagefilePrivilege	544	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4172	544	chrome.exe	32
PID 544 wrote to memory of 4172	544	chrome.exe	32
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 5100	544	chrome.exe	86
PID 544 wrote to memory of 4676	544	chrome.exe	87
PID 544 wrote to memory of 4676	544	chrome.exe	87
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88
PID 544 wrote to memory of 2800	544	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://northwellhealth.modernhire.com/hm/scheduling/calendarentry.aspx?email=Aciaravino%40northwell.edu&h_email=m9CVdkhO%2fZJNmCt52GCygcHCI4ldoSHK0FBZRaOfjoOGZ8wRX5hNcWwKpcGZ%2bevZOlyj6p%2biNiUPUOndY9g3BA%3d%3d
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8233d9758,0x7ff8233d9768,0x7ff8233d9778
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1816,i,3463613619453072697,18327450955396525892,131072 /prefetch:2
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1816,i,3463613619453072697,18327450955396525892,131072 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1816,i,3463613619453072697,18327450955396525892,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1816,i,3463613619453072697,18327450955396525892,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1816,i,3463613619453072697,18327450955396525892,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1816,i,3463613619453072697,18327450955396525892,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1816,i,3463613619453072697,18327450955396525892,131072 /prefetch:8
  2⤵
  PID:224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
d0a5a7be9f392dcaa2a1e3cb03a7b0ca

SHA1
a8c0965ecfa9d7c6972e604e37e0030c831fcc34

SHA256
e1825cd3d4c34bcb181e9bd8573528a3ade0e5428cfef2f409edf78ff00a6ecd

SHA512
c24468f0b90828b1537fd7b0cd4470252825c5fc42daf23aa06aee216f14e6f7d0c0b3f6768e632eb9127680f2cf871774aced7122d9a6ba48cc42ff349cc2a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b392c550f8952ee0e4920d7c4ee7347b

SHA1
986efe98d0b6ce976325ed570ab9de12631a865e

SHA256
e860a43fa32981a2756ec3b4542f3fbb07366c6db8919d4b0d6d353daee3c3eb

SHA512
e9d79c7c042558886504552c470080f0063b0735b724451a338e4605601e129042bc138a4410ca777fef79acbf77877c8c563e681d53f1c0e9f40f21c7b8493a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
503f6a1310a6b50fad70336851a3591f

SHA1
2c19ff3981afb9fe4bf6212fc22c63393bde855f

SHA256
bd8705f4702c8be3cecc21c057d858e93bd588659d8d937869b235219664efc6

SHA512
c991dd1ee1c71b6e1921f9a8a7d7ed82ac6721ccc030c653b5cabd33719d3d407eebf489ca68824bcd2d28cce05ed72cb1326a8292dff1faec806f38d20c8361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
678cc4f0b2efb04cabf073ef36e5b975

SHA1
eb3874674272b2c97fc07eae6f9c2b5067e1e5e1

SHA256
3d16f7c7295766a32f0884fadf24dae0a7ee37dd0b4439107a84d4d4bf408c4e

SHA512
f6081a59d634fb7dd7563d46dcf2ce071080a2f05f83a87ee850d747b93639b12303273e12f26eae4dd42e72eb7afc4d68370663b712fded9fe219803fe66db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit