hxxps://sodexo[.]csod[.]com/samldefault[.]aspx?ouid=2&returnurl=%252fDeepLink%252fProcessRedirect[.]aspx%253fmodule%253dtranscript

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 10:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://sodexo.csod.com/samldefault.aspx?ouid=2&returnurl=%252fDeepLink%252fProcessRedirect.aspx%253fmodule%253dtranscript

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe
392	chrome.exe
392	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 4056	2960	chrome.exe	34
PID 2960 wrote to memory of 4056	2960	chrome.exe	34
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 1392	2960	chrome.exe	85
PID 2960 wrote to memory of 3804	2960	chrome.exe	86
PID 2960 wrote to memory of 3804	2960	chrome.exe	86
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87
PID 2960 wrote to memory of 5020	2960	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sodexo.csod.com/samldefault.aspx?ouid=2&returnurl=%252fDeepLink%252fProcessRedirect.aspx%253fmodule%253dtranscript
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a0979758,0x7ff9a0979768,0x7ff9a0979778
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:2
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3688 --field-trial-handle=1868,i,16661479305866617442,4983328371589709678,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
c65f1edd27980436bd7c4f901bf0652e

SHA1
6416f4e1875ec898bd1646a62e299e16152fa9f5

SHA256
107a0d9215934924dba1cf6f4de59d538f6bea3b339201cf545016aac54e8fb4

SHA512
bd257e929926e1f38e5b374f2244d2662396536199fd3430794edd274cf8b00f6c7599575edf216aca0b9c7328c94c0fae5b8eb398d0a62ae6a9244dc40f844c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e5130e4f-88f3-44bb-b695-76b0074d8ace.tmp

Filesize
1KB

MD5
00bd0df2c2805ddb971cebdd2ca1a561

SHA1
b79b6d7fbc0a5ecb77412bf70a70e7fc5d7ea56a

SHA256
94b9e2c347a1c867dc31fa70060da84c9f0a3e5836410c08eefd839317b11eee

SHA512
5687ceeae5cb74115b7114e2b7e6cbd97bfe0c5540999cd5f93bbabbd18f14ff6cfd3d402ce932c644589d22c1f850ccedcddd14f8702256766841bd977f825a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
970ac32464131a0226091d7310e77f01

SHA1
0f9201f392e6769d9adda0ca58fccf13e06818c4

SHA256
862c8290484d01f55707df495197c5dd2bd9035d8dca8d6d2d37f3a882f0983b

SHA512
4d127b14edc784cae4462f08651f0b5390e3c784d835e69ce2effc93aa6f15b7361b396d55eebb71be7d28d2a4347a92454c803fe40e7adb008f8da2278916e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
60d69d1e7244183c428ac54b91dcb48d

SHA1
651d9f7a1655a5bd4739f6d73255610267650c6a

SHA256
47b08d966900182181c7532499cb965d16c8c061b33e5f6007bf08ac8670318f

SHA512
0bc59a5954d8e84edb7937af784ed389777723af0ad5af9982dab015404f01c745e7e89f00e33b4b4e51b3c75b4fa26e8083ed5ef4f18dc706f7c1d0342292c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit