hxxp://click[.]enotasgw[.]com[.]br/wf/open?upn=Q-2FggRWVTLHf5EoFeyrsEIx5a-2FtXg2K-2FoB78zpWhiPE9xwoDvN1Oy6JrwiTr8ML4U6TyrXhekc18QInXXSVmDOitHRcBxWeLGbZmuglqFazRjhRBsWr9jDXEkLNqimze3M0RwtxF-2BQbyx4qCixmAISixri66VRh0nNFMfKJEl2eQQib3y6aFEuUv-2FPpCT5DpUQeGzs0lYXTAuTWRt9aFupUSSuwu207JiirzraiGv-2FGPjZWXYzdw85SgtziqvAshmxZLigkZBQSh51codSGMQVJllSJpridWGVkS7Y7zwQOuuoY8DK0h2n75FCg98bP8EKr8rckj7cPHfmYFr2URQfw-3D-3D

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 12:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://click.enotasgw.com.br/wf/open?upn=Q-2FggRWVTLHf5EoFeyrsEIx5a-2FtXg2K-2FoB78zpWhiPE9xwoDvN1Oy6JrwiTr8ML4U6TyrXhekc18QInXXSVmDOitHRcBxWeLGbZmuglqFazRjhRBsWr9jDXEkLNqimze3M0RwtxF-2BQbyx4qCixmAISixri66VRh0nNFMfKJEl2eQQib3y6aFEuUv-2FPpCT5DpUQeGzs0lYXTAuTWRt9aFupUSSuwu207JiirzraiGv-2FGPjZWXYzdw85SgtziqvAshmxZLigkZBQSh51codSGMQVJllSJpridWGVkS7Y7zwQOuuoY8DK0h2n75FCg98bP8EKr8rckj7cPHfmYFr2URQfw-3D-3D

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133370940169687251"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
1132	chrome.exe
1132	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 5060	4276	chrome.exe	81
PID 4276 wrote to memory of 5060	4276	chrome.exe	81
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 2484	4276	chrome.exe	83
PID 4276 wrote to memory of 4396	4276	chrome.exe	88
PID 4276 wrote to memory of 4396	4276	chrome.exe	88
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84
PID 4276 wrote to memory of 1668	4276	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://click.enotasgw.com.br/wf/open?upn=Q-2FggRWVTLHf5EoFeyrsEIx5a-2FtXg2K-2FoB78zpWhiPE9xwoDvN1Oy6JrwiTr8ML4U6TyrXhekc18QInXXSVmDOitHRcBxWeLGbZmuglqFazRjhRBsWr9jDXEkLNqimze3M0RwtxF-2BQbyx4qCixmAISixri66VRh0nNFMfKJEl2eQQib3y6aFEuUv-2FPpCT5DpUQeGzs0lYXTAuTWRt9aFupUSSuwu207JiirzraiGv-2FGPjZWXYzdw85SgtziqvAshmxZLigkZBQSh51codSGMQVJllSJpridWGVkS7Y7zwQOuuoY8DK0h2n75FCg98bP8EKr8rckj7cPHfmYFr2URQfw-3D-3D
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1d429758,0x7ffd1d429768,0x7ffd1d429778
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:2
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1868,i,10292617236166801452,17223102404094293199,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
1cf7453ca991d86972bb6667a2d2fe67

SHA1
b679f35a213ab78e7a0dd6fe3e40751ffe1fda25

SHA256
f5f1c7d37c9e5e8450b315d52c917cd7bdc3eafbcbde8eb30bca016ead5c7f61

SHA512
4e0147217d0baacd31c57569b7cf065042b267eb8fa8681890266088e70e73f8c55b98abb23c4b4c700a413592457b39ca4080cf130cb83d4995a941e05adaf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6f7ac5bf5b4bd6c93d0635ef1ebd54b3

SHA1
36cd974f6fcef9dab6bfa7d2a859e0f9e1f26dea

SHA256
722a71f7f420fbc34038b4a1fc5ee0a9bae932edf496ac00174ab9893e8942cb

SHA512
1d1dc17b23c28d2ef26d40ff5e419e641f470ce08cb3c329a679d52abc04b410fb62f67624fe002a769ea6bbdf666b0994a2562cb57e4e6e6c9718dd79fceaa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6333b64305d6d453186fba80049aa0e9

SHA1
6ab144c7b7ec36b24de71ffba4985a38598abc01

SHA256
7303eb42369ab8248f66f38288ee4ebcb0c616fd6a4ab9f5ec2bb8f1995c9c07

SHA512
39add80398c0066e9e34a9d4835a939c3f4a835d28e1d1a0680243875f8a3fb1674a0c4afd18dbe0dc548405d161d255691896206a4bba3bfccddb7b6016fb2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
b08bb918264db6391c7afc6cfe6b66d0

SHA1
0fc8c11046711849f40ce01b3be0f61ba89fef7e

SHA256
06abc9bb349d2e85b05a0194df6502b3a6ac6d7e5b82da8984cf50988344f87a

SHA512
9a8f4c20b8d9847be85bbc6f9d387d17d13a17daa8e3d4ddbc6d9769f4668701d40d9c37101dbe01bba37229d230376d5b6f55197a8685d2072b299f7570daa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit