hxxps://click[.]email[.]leetchi[.]com/?qs=cf77e7dc522570a8453ab5584d71e707ea39f9a249dc05f57d450de36c1ec6d152f6b6f5b3c2155704ad1d93b75fad3ebe3f48d82cb3a02f

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2023, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://click.email.leetchi.com/?qs=cf77e7dc522570a8453ab5584d71e707ea39f9a249dc05f57d450de36c1ec6d152f6b6f5b3c2155704ad1d93b75fad3ebe3f48d82cb3a02f

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133382899457725268"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 404	4300	chrome.exe	78
PID 4300 wrote to memory of 404	4300	chrome.exe	78
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 2344	4300	chrome.exe	89
PID 4300 wrote to memory of 924	4300	chrome.exe	87
PID 4300 wrote to memory of 924	4300	chrome.exe	87
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86
PID 4300 wrote to memory of 492	4300	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://click.email.leetchi.com/?qs=cf77e7dc522570a8453ab5584d71e707ea39f9a249dc05f57d450de36c1ec6d152f6b6f5b3c2155704ad1d93b75fad3ebe3f48d82cb3a02f
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc32c29758,0x7ffc32c29768,0x7ffc32c29778
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:8
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3372 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4740 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=884 --field-trial-handle=1892,i,4099171860777906482,18418625765026452689,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
07b586ef24c8bf1e9d79a928585424a5

SHA1
136e166e72fa604bd683f04dad588c9e2cb02e5f

SHA256
1450e92c31846e1cab6a2fb83c470025e65c9fce5473308f234c8a51b33f1208

SHA512
2fb9c71474a78de646594e9971c4b2643a02e1d998b691366ec7fb87bb2bc0016ad810f80db91ef5e666d68141b0010992828343e6511a9201428c01ea79853c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9f9ed5650a4acceb508cf44cae72a469

SHA1
01d9b675b4a51c283ccccff89f1fe944cd4a96c7

SHA256
36feac05f2bb10c05d975f809be77968b46867e5670c7fbc0f3b03fc3db6ea2a

SHA512
4cb815c4d3f5e64d6b2a3d90b3607fb251a83a73fe103c14d612a8ccde69152cbfb129609f66df9124941556f20f67634e9db2c01132af790558da6522d77a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
057df42a43880a4f22e55a4e8970edd4

SHA1
875d5b15523d0835790e7c7f28d03f57bd745fcf

SHA256
f24f9f19362c6681c8b36f721a1e89f5f5c65f42b94e3cc0cc60c23f3c5eae5a

SHA512
8bcc92a4abd5009a3350541480138f5dae14b5d8c328bce9988cb5d4e73d32a4981a1dec9db847242304963cf4eb4206359a65c603cf3956a47cbb08ea9451ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cb0ced52aac7cd080480e6f44ba82fdc

SHA1
8c5405e51c891e369915ab6737b12ed62fe303eb

SHA256
ab0b7202ccc2fb7fdf3107a4448c39c7f31f7b16349ebfe7027e4b7fb7b437ca

SHA512
0f2690d4858063a6e2aa51125587f478c4d1ce32a0bd4bade33a49b14d16d0203aa1a331cd6bd8f8ad1c13171cbdcf201965e62a9fa76b8fcb315d7fa8d132ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
799ae005d2ff791b2cc3bff5907e9322

SHA1
80169602ea0328993c5848f1520e147f0ef5e133

SHA256
9f31496a2c7960823bbced4f4095c261a8676a5595fc0fba11b9bfd962a49f55

SHA512
97dae9e7fae0ddfafdb689d09cb4ba74fe65f5076a4d9b4649a9320e6590e2f1fbc9dc79327c7eacdc803314dbcb5686cea536ebcd4d866b5ee10d3cb834e0cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eddd8599d08f43628a2a6f69feceb3fc

SHA1
621c59ce09f40c1d258332533f31ba2e76234e9c

SHA256
f9c50f573f164ddd9d62b062d41072f2b55ce2b83ea1c7b551e34b82b24b70df

SHA512
d3b933acf2b20128a17ad157f3b394e8f993ebfffabce01d302a307a49c7731270921ba81d2acdfadb3f17936bf1e7a66dde0f4aeb48eaa098ae8991f33332d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b3131e90-1d79-47f8-96c7-885db1280e26.tmp

Filesize
190KB

MD5
2c33fc7ec5f93ca3c8903783288272bd

SHA1
ef5293f9e289ccfe5f0f5ac63e23bc5fada16fd2

SHA256
246f3f60e575ceada317ea5ca7f5d5499c53672a0601aeabd061e03a29a18f31

SHA512
11b4cbf5c8bb98354a7183d346c3f0bbe2d3f62ddbde537c121680fffc33ab8005180accaf5da4d2d34eabcdb5a7686435c703f5686b7cf5e75e262d3ee9ddb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit