hxxp://employeesupportservice[.]nicepage[.]io

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 16:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://employeesupportservice.nicepage.io

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133365905829060759"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3144	4868	chrome.exe	82
PID 4868 wrote to memory of 3144	4868	chrome.exe	82
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 4016	4868	chrome.exe	84
PID 4868 wrote to memory of 3636	4868	chrome.exe	85
PID 4868 wrote to memory of 3636	4868	chrome.exe	85
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86
PID 4868 wrote to memory of 2264	4868	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://employeesupportservice.nicepage.io
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8533f9758,0x7ff8533f9768,0x7ff8533f9778
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:2
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3976 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2704 --field-trial-handle=1876,i,4955467525054103154,8891937204132984680,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
175KB

MD5
2a9c0a1074358185eeb6b70954ebdfe9

SHA1
c944e4dc2d1c703937ba0c9ada25927bb3373983

SHA256
4dadc11ec68efc62c2ec5fdddca582d3f3bc413b85351b5d3d7285cf8d2f0cd4

SHA512
29c9d5895fcbdcb5999a40a5068d378b86c50a2ccda983049dcf5b9a184fb2d1162fa0a7225f1a6ae07b993fa4d251f6aefe5df008c055fe1c2fc859c135b339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f9ce459da15260d760c8deb3955f68b9

SHA1
e323036bc33b01c89590432b502d79c9a6904d5e

SHA256
6598b940ee97d23024cb08f2992d5a16baba0fc63bf5e12761a091cc389e9010

SHA512
5a8800d0dce68197355f8949eba10dec8c0ef2d26a34055dcabdc309aaeaf6414fd7320a350e45e118ce43009fde5cfb4dbba3b6223cc2208b7a355bb0ca8b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
611e057c7de64418c4f4d5023f31453c

SHA1
80535c9cc37352f57eacdca82dc88fb15c6e9782

SHA256
f516fc966c693a7710a65f1d7b75cb8821eb9706ac2e97697ac4bd39eabe040e

SHA512
c04312443a4d4e66550da8f758d4917f0a06dded4921aae8599f2092f0e013ee2fbee625482e26ab88d36337c71b478d457062f542b0608ca8087a0e3124f738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
88023c0473057c786f65ea781f6a2010

SHA1
33e532a3bcec871c48f2d91411d16430bbe42000

SHA256
3b3e61dc42550da406d7e2abfa027f44d11028931daa1a1be5f81d8c63002933

SHA512
da2d93462bea17bcf29384775b461efd1a43234a1490ab8175f40fb2657ce840382d33da9ab165805642f2f67fc042b1084f020108b8e5282bbb0b948bb826ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d96f9571ae06f1fa20702462ac4c909

SHA1
7fdaa0f489cf725b256aedfba4c396445cc12946

SHA256
40c1abe81e7ff15133cf5a0b2ca8e8d2fc96379546732c25046fd474dc9d1b9e

SHA512
46848b0349693b60b24d401c9939712c2aec694f8f639ee3ac08e35f417543fab9657ab7a22de4cf14255eec4191f57033005dc02a2727d879697df1ec5369fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7c9ef3afdd480c4f4f8cbef19a231aa9

SHA1
6c586e875d3dd853c283721af5d25d971d981eeb

SHA256
de7163c71f1928a81bc8c398df5736eea9bbb578198cdf708ab1489e4f628de8

SHA512
7b967d1198c2678c28342885214660d008063734aeae9112f2f22054b8ad55c0eb233d6ca5ba3ee89f3fac868738095bc30cbf8120ef4c483c9cae25e5585a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
658ef2c79af135753a86c3a6fd623982

SHA1
bf3d7b418fbb6aed6376c8fc22c6296d8e5d7b1c

SHA256
90d8ea0a0fcdfdbf014af20c737f50747757675f41ac380602b363279b747e0c

SHA512
1ca794665628fdf6d23eb0125e3190d438e3e554d9540d961e09cc21d6caf1c72204e6a9210335aa28183a9c5b76db77227143dcf5ecb677748214d11af89141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
acf1712b73184c521399e0adeca67423

SHA1
ef4cf394cbebb728d58da0f6c4ea9dbdd9d21242

SHA256
a9248c9a867f4270a2c65ad5fbf30fe49b6086f4bb30ad851e68285583f74704

SHA512
386624c1b9706efaa8ae60c6557d3354de462a9d7a9c3eb616af8b51d5f5b8bf363903fc89d78bda4055297f2deccd362a4416440606379e7b80805f4bcc84ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit