hxxps://protect-au[.]mimecast[.]com/s/K9EWCE8wW5C3QPgniNjmVU?domain=sharepoints-ftvcapital[.]com/

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 22:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://protect-au.mimecast.com/s/K9EWCE8wW5C3QPgniNjmVU?domain=sharepoints-ftvcapital.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133379085542010406"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe
3872	chrome.exe
3872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2668	3720	chrome.exe	20
PID 3720 wrote to memory of 2668	3720	chrome.exe	20
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4116	3720	chrome.exe	85
PID 3720 wrote to memory of 4920	3720	chrome.exe	83
PID 3720 wrote to memory of 4920	3720	chrome.exe	83
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84
PID 3720 wrote to memory of 2736	3720	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1b799758,0x7ffb1b799768,0x7ffb1b799778
1⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://protect-au.mimecast.com/s/K9EWCE8wW5C3QPgniNjmVU?domain=sharepoints-ftvcapital.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=996 --field-trial-handle=1860,i,16251394661590940802,17615085099240947954,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
d9acb0d4577aef5e1c875f271a3a36e4

SHA1
87635744c59ff6b30604e525182d562bfef3b2dc

SHA256
13227bf2567cb4b9cc2b9fab48add467e5e3dbabe4aac52b39afdd8eb7984004

SHA512
6ca14ad2c792fb1064cb1d1362686dd29782639031a4e3176784a981190f95dc1feebe1acee3946b2e29bd2206023b1c610161a40b3c130519952fedf6842f38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\98fc4ba9-e804-4ae5-841a-8d372a01fefa.tmp

Filesize
1KB

MD5
aaf6a1bf7a3b80a8d2d4bdeeaa142869

SHA1
e877ec45c2c6879f317bb800242a3ffe764176b9

SHA256
f8720d808ecf0dac8612d668982c6fb89c809382d0e95d8fc79af82c66159b76

SHA512
88b76b8f6c119587067320c1596c2f189af18067b490eb6008e13f84fac6ff88e460c3c351196f2e79fd4cfb81fbd9a2e64b8c76fed55663c9c2caee72aacc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
525faabaf29abfa5d6c5bfd2046aa899

SHA1
4e7d1ea585f9a7c4c94acfc7938b98fe31497c2f

SHA256
c648fc4d80bab6821c00c9ee155aaf1a197a666a0b42af416102687f37b9169b

SHA512
c486156b6adf0e274cc05b73dda41b791eea2ec278737f964aec3a0f84d3685e0140afbc01cd724a9905016ec7638f4f981ed9b14a47265918f35b21e4b6b9f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
afb3f649432a89ca0cfcffe589b90947

SHA1
fbc2e58b888a683b5974cdb72f5c04ebab88c873

SHA256
2a64ae9eda88d29c0b96e341dd92e8684995524efad228a6af664afac9f68f0d

SHA512
b6201d3a289c98213c11032666b8dc90015d2b72c9bd64b25775b3491e6adce4803e898d22dcc6edab1513d4f58811197743cb94bf1bce94b5be8c22de8bad48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
668d80c26f3e55fc73bb7d9860d1aa57

SHA1
471ec4b0a08a3bdb1b3debdfc00162ee44363a0a

SHA256
bd5b496bc5bb5dae63f19889896157a5f4d24e61ae38fa1c5260bf1f26f8f86f

SHA512
04109e83448fd8d62d9a24838585e14bc3f3a566d88f41eac29137e113c5399dbdfc41153627d3567bb9b48ea540ce1d789e5c1d2b50af457618d8fcb5389949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7125d88cd04731fd3e2c74d752a83796

SHA1
17fe45dd9f77ccfb95f15bc161098b404b043fbe

SHA256
bebadb711d7d8e8ee67541a2ff7ca3a3739edb3d344283b9a74ef363c8ae964a

SHA512
41b221e97f5985aee88e190a0abb0f36708264aa7ecd74bc5e1ac7a14c09a53c56c86ff796c453ef6894cd05b097896b9bfd528403eddfec0641c40ce57ee376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
b20dfddd5103ada44e57192516cdd9f7

SHA1
2b77643f8eb0ef45cc6f3363dc502e013aa762df

SHA256
2819334fc2868c5b488612452f5e7567a33547aed29eeeed28b0c92e09b2a35a

SHA512
8d850a522830faa7b70ea41b8cabe197e3dc09c4312b54ca296930e4cb9b94dd85e758bffa2699f2053e0be29a995dd7036e32f15e8ae5be4f3a7552d23992f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit