hxxps://personales1[.]wpengine[.]com/VV

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://personales1.wpengine.com/VV

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133376910410656655"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe
1424	chrome.exe
1424	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe
Token: SeShutdownPrivilege	1328	chrome.exe
Token: SeCreatePagefilePrivilege	1328	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 116	1328	chrome.exe	81
PID 1328 wrote to memory of 116	1328	chrome.exe	81
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 4860	1328	chrome.exe	83
PID 1328 wrote to memory of 1552	1328	chrome.exe	84
PID 1328 wrote to memory of 1552	1328	chrome.exe	84
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85
PID 1328 wrote to memory of 2320	1328	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://personales1.wpengine.com/VV
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0b699758,0x7ffb0b699768,0x7ffb0b699778
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4956 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3088 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3760 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4664 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3736 --field-trial-handle=1824,i,6755393896260594218,8437828561839596204,131072 /prefetch:1
  2⤵
  PID:1256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d9b1d59f787b2a1ce5106a3642ed03db

SHA1
277d3240006e351de2166175e1af41bc0f810a60

SHA256
791b0499453532291f58b147d25751e690be8ce88e8e1ebc342dc1b924ae3a8d

SHA512
3665e3ccf0c512d921a69ace9b9dc3fdf3865909b2605da7d106720d727be5346e0b1afe4ccbdb4c0069bb1d81f187bf8a695ed0a038f7485c7c6292f1ffb9e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
59f2516236f1dc62fc29c5e14b9d3fa7

SHA1
cb96d696778a6857d741972983c1c6f9eab0e89a

SHA256
99a58290cd35767e0914d03f8859bb9030b1d0861671198ded567fe7b4b17012

SHA512
446dc7a9bd506c6b5480d97afe8ad3e1ff572a26e29bad4d2598ec1f035af7c9efe680323bfb4e9c39f80c4c2a0d99043a27ba378987a5ea4cb5e7ebd8d815eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
624423e72ef2de75cec7e4169d6e7a26

SHA1
be2a6e8ef0d563ef72e1a8d13b098a082af3ff0a

SHA256
6dd8534e92318e4438f5859ad0bd56b292690a8ead7e600f3a8d3e5a1adbdece

SHA512
addd7bd060bf202501494f7d6bfae9fbec255b9c5c7ae236e953386c97c7159935d0b0d5aae5c58d29754e3d11369a4c5b7d895ad77a756c9a5b17e4764eeb22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
cd9f1d459d0304210d937e634b8e36a6

SHA1
832a336e6d9eec8148977f1e2af866c221defdd9

SHA256
d4e86f6fc6897b7ad5eadb13061e1d47e1f16b0e5ad440059d49ad3c03432929

SHA512
58195c32567bbc7a6c4b5cdd93de0d26b3f8a7e625b9504a751ba24a397f3c167c3225000ce36c2ca856f66d373342d2b1ecd8d69676ba58d078ac64e67cab51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit