hxxps://securemail[.]wf[.]com/s/e?m=ABCWcG31V3hP0uVV3t2IZyap&em=dayna*2ewest*40mt*2egov

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://securemail.wf.com/s/e?m=ABCWcG31V3hP0uVV3t2IZyap&em=dayna*2ewest*40mt*2egov

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133359147127603120"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe
Token: SeShutdownPrivilege	4612	chrome.exe
Token: SeCreatePagefilePrivilege	4612	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2448	4612	chrome.exe	73
PID 4612 wrote to memory of 2448	4612	chrome.exe	73
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 5044	4612	chrome.exe	88
PID 4612 wrote to memory of 2212	4612	chrome.exe	84
PID 4612 wrote to memory of 2212	4612	chrome.exe	84
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85
PID 4612 wrote to memory of 3648	4612	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://securemail.wf.com/s/e?m=ABCWcG31V3hP0uVV3t2IZyap&em=dayna*2ewest*40mt*2egov
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa227e9758,0x7ffa227e9768,0x7ffa227e9778
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2760 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2768 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3656 --field-trial-handle=1876,i,5319258327647968185,3703204775316720865,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\133053f5-5896-4804-b7d8-51843451c873.tmp

Filesize
87KB

MD5
6f4d5ab1da1bdf245dbcb4ec73245ad3

SHA1
1a340b22717dd0f86a8e3a5d0d98c09c3781a394

SHA256
3a676b66abbcd3d46f4bfc842b0c4c31f28f34b6f5adcbc1ec1bbb0a7d3b22f2

SHA512
45e7a17dbb92135ec3cba3bb61340c1da8ab4c46167d01417ae023906e7bf9dafb002168fff1f932bd370083a272e06e79ad8fe247e6ae72e38b529ae0d4697b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\635f64d5-7a8d-44c9-9308-1a41745b5a12.tmp

Filesize
6KB

MD5
2224f368b191422f04bb34cb64dd1474

SHA1
18c92c0952149278fe048b78d18b72d4430e6524

SHA256
2498ef2ec974951e408f68e3e16b37a695361a1b25f9cc0e650e7ebaab1fdfbb

SHA512
2f83768dedddd3dd0e6c0411a20f41f9f221e932c281e63a64dfea30670ab4e062f766c60296ab7087359fb92fc4249c2de40411aa95f2ac7a722db3e4dbfb52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
d36bd3fdd730b0d4217f39845cd31507

SHA1
1066bf6f71f1b6f8cf4796ed5eb38c514d1c983e

SHA256
bee182f96b0682ed630adc94b0c2b25e282e1809cceecc49ec95f7f4195e232c

SHA512
c933afca98dd61d3e03c8710ff927419a39ffc4d5bb0a07bfa22ce5c7ab683a8a7e389c48e86660b5fe496e49d7eeb56c0d9d066ec054f3589c24f1027e9a060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
836B

MD5
9c9eb3d0839481f32e18fab3e12abae8

SHA1
e4d741e274472368228d41a90ba32c6cdaa2ff0e

SHA256
13a867a85cba15e70a24c85c3b3411146e453bb6f8a38c89b735c3699388899e

SHA512
7adb065b2722c1c25cce449f6433403da08651da6dbfb7ce1515578997fb25c6434086e6ef96416f5f9038ad0d9bcc10ec2c60e886e49f82020414688637ab54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
3b9388c418f7fd28a394ed491a3033e1

SHA1
e8a571dea991ded0a514e339a9abec37f5512666

SHA256
dd3d3ce002d7476fbe90aae7383980da49427219e540b41cdd5047a11dbfa3d8

SHA512
b245f32c576a8b45a9b01b12b5aa13ffd039848d1ff3f0a3fe77a0b5b9f9c45e856c86f57457bf24eb566e2ade4700cee7d96847fab9adfae42294eeb00a65c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
95feaeff50a552d85800a198cd73ac25

SHA1
f073a3cfcb0e7983c5e7783c67289780e4f24c14

SHA256
994395de73a48e5b607ab3034a67d57a27de092fed9642180f033c031bf04e98

SHA512
f0ffb6e0bf9f56f8f4770478945393fc3fa7834acf8f462800cc8cefe97d04d939c7f7b32452a0f2ed9b3b6d957a08d79b28b89400854e4d7a2ada643122a43f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
87f5ed68d3ee390c3c0e6b595968de31

SHA1
f5e24c2e170f777db9e9a85790ef218c59564b15

SHA256
2d000821f8fcd19d0b98cf0ca3881224fb60727edb52c8bc6a7c40eacae7533b

SHA512
6604142bbff0e0432a7af63d8015a79eec5a8ab8c84839174031ae26628ea8464003111556ddc207daea01c344b086520ef571eaca83a8c4d1e4bbf2b1fa0510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit