hxxps://aus01[.]safelinks[.]protection[.]outlook[.]com/ap/b-59584e83/?url=https%3A%2F%2Fphoenixplaceinc-my[.]sharepoint[.]com%2F%3Ab%3A%2Fg%2Fpersonal%2Fsam_phoenixplace_org_au%2FEasOQBwjts5BqeBZlNg_OasBCrmlWrOuawCra4HDeGBvWQ%3Fe%3D4%253aiDZG6O%26at%3D9&data=05%7C01%7Cprocessing%40bluecard[.]qld[.]gov[.]au%7C063ede40bbff4357b10408db97035417%7C583ea622975d4befa1d0d1f9c139f8b3%7C0%7C0%7C638269812805240187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=P1hvM9pgAZH8i6FET05CQHx0AI9TRGB8mU7vPdgcYyE%3D&reserved=0

Resubmissions

08/08/2023, 02:12

230808-cm66wsbf9t 1

08/08/2023, 01:46

230808-b7cmcabf5t 1

Analysis

max time kernel
60s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://aus01.safelinks.protection.outlook.com/ap/b-59584e83/?url=https%3A%2F%2Fphoenixplaceinc-my.sharepoint.com%2F%3Ab%3A%2Fg%2Fpersonal%2Fsam_phoenixplace_org_au%2FEasOQBwjts5BqeBZlNg_OasBCrmlWrOuawCra4HDeGBvWQ%3Fe%3D4%253aiDZG6O%26at%3D9&data=05%7C01%7Cprocessing%40bluecard.qld.gov.au%7C063ede40bbff4357b10408db97035417%7C583ea622975d4befa1d0d1f9c139f8b3%7C0%7C0%7C638269812805240187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=P1hvM9pgAZH8i6FET05CQHx0AI9TRGB8mU7vPdgcYyE%3D&reserved=0

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133359343883782504"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 4928	2716	chrome.exe	82
PID 2716 wrote to memory of 4928	2716	chrome.exe	82
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 1096	2716	chrome.exe	84
PID 2716 wrote to memory of 2576	2716	chrome.exe	85
PID 2716 wrote to memory of 2576	2716	chrome.exe	85
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86
PID 2716 wrote to memory of 4256	2716	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://aus01.safelinks.protection.outlook.com/ap/b-59584e83/?url=https%3A%2F%2Fphoenixplaceinc-my.sharepoint.com%2F%3Ab%3A%2Fg%2Fpersonal%2Fsam_phoenixplace_org_au%2FEasOQBwjts5BqeBZlNg_OasBCrmlWrOuawCra4HDeGBvWQ%3Fe%3D4%253aiDZG6O%26at%3D9&data=05%7C01%7Cprocessing%40bluecard.qld.gov.au%7C063ede40bbff4357b10408db97035417%7C583ea622975d4befa1d0d1f9c139f8b3%7C0%7C0%7C638269812805240187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=P1hvM9pgAZH8i6FET05CQHx0AI9TRGB8mU7vPdgcYyE%3D&reserved=0
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfff89758,0x7ffcfff89768,0x7ffcfff89778
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:2
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1848,i,14914696178351937039,9035671680768825110,131072 /prefetch:8
  2⤵
  PID:2184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
0381611f86bc0e7d74d5f43315eaa2f1

SHA1
6fad1441c8a1d5af6c0d65c7ed6fab7caa0139b4

SHA256
49a5eda42c77e9b1377957bb8769ac90033f9451fe2b3a6933cf13bc50cc33ab

SHA512
6e83faef442553761ef97f766066941dcc353a7fd45934edeb864abaeb36cd52e7af035ab00629fa075f41b7b0cad15e1509f91b25e2f99667507bf94f93b68a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
3378e2b8c959b738e6a65b4b3c96a65e

SHA1
b3a28e5cbcb6905978a1e6e2f377e42d0c010bb5

SHA256
9cd0bca3c412d7f0fe754be028af5510a979ac395ca66a27db2a426fefd8ca8f

SHA512
b1d2eccb67d29ba3ba92322df366418121cdfec6d2c853788a5699ba529dd65199b711836ad291348daa3474674165e7a6d14e5703ded51acca64f203e3dd9ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4b79e353af2c1af850a70e5e05eb80a3

SHA1
484220f729321885aa2bd2b0b475668392b84a13

SHA256
8eedbfcf63a5ef6f67dcbbe8ef52a9f2164f8cb359e377401e68d4a66000682c

SHA512
35a2a73513f7f9b80c60ecb57e5c7a19ef969bdcea5788eaa1ea73585a7c3a9a7979af9ece01b329269bc87c98107d49e9bf298a48704cae949189e0d1760d63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b402ffa42654c836595e7d4cf9f90bb3

SHA1
40f94f86a7d554bd947bbf53db11c9eff0e8049d

SHA256
d5d3a0681a751df25eec9caacf2849c81713bea672f690aeb16a79980ea37d01

SHA512
514d313e908c86a61d6c31a8a70cb24cb5c02435c181a86a9aaa2dcbaef8e7e157fb02702d36ea0b7bbbd5a0f22e4d87790aa30e46139a2e910f645628ef1410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d66e5ee4-1c52-4a39-8c8f-1ca6e7491300.tmp

Filesize
87KB

MD5
e1bb8afe4d79a72a069a016fde8584e2

SHA1
24e71bee7245caee8aff06a240c1ba3ce434ac03

SHA256
1b9cba14991b6f54f8e078f8a9e84b9fbac299b006dfefac68fc04c8dc49cff8

SHA512
c3608bae15a4725cc3923c429eb7432d7c6fd39f6b7f1e236e58fcdd1c0ff56fbad277cb54df211fef5f97b016ab68493edca70995ff06a4f9f858747892b426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit