hxxps://t[.]mce[.]email[.]sanofi/r/?id=h403d3e8f,46ce7499,18ddf170&utm_source=AC_Email&utm_medium=Email&utm_term=1077755535&p1=e01e43259c997606010bfcf21d69371c&p2=1908c881b28a1ee5848a1a5c7b7b8d437be7f3dde351e4f3777158ac6f17c278&p3=90b0e8a22d4c0cb053c52d846eafac05&p4=b16459a5320e83b92f0e0cb4063d2df7&p5=43d80410fdf01c33ef92cf0e5ae7ef446b00d588204c4f6af43856bc7190f9c187ea89914831e0efc93dd9064927411b2c593af91f41db8dac490e3f52b11856&p6=0b78ee1aa47a35b0a696a062ebe4a5ca&p7=ee1899adf7ea0e6a63e0272fca4d6d94&p8=9af3a104ecd5785ae2ed02b9e558211f&p9=9e8086ee1947f4a303485c0e63241935&p10=093d531bce4dd31d9ebf45261612f8d9&p11=1898d2fd039dd93743a8c076d04bd85d

Analysis

max time kernel
14s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t.mce.email.sanofi/r/?id=h403d3e8f,46ce7499,18ddf170&utm_source=AC_Email&utm_medium=Email&utm_term=1077755535&p1=e01e43259c997606010bfcf21d69371c&p2=1908c881b28a1ee5848a1a5c7b7b8d437be7f3dde351e4f3777158ac6f17c278&p3=90b0e8a22d4c0cb053c52d846eafac05&p4=b16459a5320e83b92f0e0cb4063d2df7&p5=43d80410fdf01c33ef92cf0e5ae7ef446b00d588204c4f6af43856bc7190f9c187ea89914831e0efc93dd9064927411b2c593af91f41db8dac490e3f52b11856&p6=0b78ee1aa47a35b0a696a062ebe4a5ca&p7=ee1899adf7ea0e6a63e0272fca4d6d94&p8=9af3a104ecd5785ae2ed02b9e558211f&p9=9e8086ee1947f4a303485c0e63241935&p10=093d531bce4dd31d9ebf45261612f8d9&p11=1898d2fd039dd93743a8c076d04bd85d

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133373812956805948"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
64	chrome.exe
64	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
64	chrome.exe
64	chrome.exe
64	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 2372	64	chrome.exe	61
PID 64 wrote to memory of 2372	64	chrome.exe	61
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2768	64	chrome.exe	83
PID 64 wrote to memory of 2348	64	chrome.exe	85
PID 64 wrote to memory of 2348	64	chrome.exe	85
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84
PID 64 wrote to memory of 3752	64	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t.mce.email.sanofi/r/?id=h403d3e8f,46ce7499,18ddf170&utm_source=AC_Email&utm_medium=Email&utm_term=1077755535&p1=e01e43259c997606010bfcf21d69371c&p2=1908c881b28a1ee5848a1a5c7b7b8d437be7f3dde351e4f3777158ac6f17c278&p3=90b0e8a22d4c0cb053c52d846eafac05&p4=b16459a5320e83b92f0e0cb4063d2df7&p5=43d80410fdf01c33ef92cf0e5ae7ef446b00d588204c4f6af43856bc7190f9c187ea89914831e0efc93dd9064927411b2c593af91f41db8dac490e3f52b11856&p6=0b78ee1aa47a35b0a696a062ebe4a5ca&p7=ee1899adf7ea0e6a63e0272fca4d6d94&p8=9af3a104ecd5785ae2ed02b9e558211f&p9=9e8086ee1947f4a303485c0e63241935&p10=093d531bce4dd31d9ebf45261612f8d9&p11=1898d2fd039dd93743a8c076d04bd85d
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff75c69758,0x7fff75c69768,0x7fff75c69778
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:2
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4656 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1848,i,8470064274584667741,14407848290239247175,131072 /prefetch:8
  2⤵
  PID:1456

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
36KB

MD5
13199e3b86f2689896e7d99ccadbb17d

SHA1
5e5ef7148e10f5495741c5ab6c0ce9a987929f55

SHA256
2aebf8a1321aa2dd2727d361ecb6caf929dd1c3591c00850b5726047c1826150

SHA512
036824888192a5c3f834419f1164eef10003f5c7155e9a9ae6bdce23de039ec1de86408a8d2fe465a7552a22a60f4f9615da0fda4d4202360d13fade9d84f39e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fd4782cff8d3b838250345002e77e02c

SHA1
d388257fa77aef55bb52112d985be27f2dd056ab

SHA256
1fe4fe6c9f9c975bb003cfadfea0b74bec03628cc0a4398ca12dd7a60530c2a1

SHA512
6fc5f30c1d43b9190b64c2e6882f5134afd9334f2cf0908a5f396dfb05e989a08ab44a81d546a28fce75c4f14a01a7082bda3484e69f2ba6121eece098376425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
fcfd55763ac2b06890d84813e88a83e4

SHA1
0329a7a0956538f6c49e6988f396af10b2755055

SHA256
fb03e43e64d7479d869d665433b9288c42e41f013c2a690e320410a632005ae9

SHA512
c36681939801dd4ad16ed04029e76f93c481ae65d04099d023e0350f7f8fe49252ecdc36eb52a63605b4b06705dffecd552547f5b9014ed9706ffd84a549fbba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit