hxxps://contactmonkey[.]com/api/v1/tracker?cm_session=08673eb5-8436-453b-a458-578b8ffc7145&cm_type=open&cm_user_email=elliotrodger@executiveplatforms[.]com

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 03:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://contactmonkey.com/api/v1/tracker?cm_session=08673eb5-8436-453b-a458-578b8ffc7145&cm_type=open&[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133394830447788659"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3388	chrome.exe
3388	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3864	3888	chrome.exe	84
PID 3888 wrote to memory of 3864	3888	chrome.exe	84
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 4692	3888	chrome.exe	87
PID 3888 wrote to memory of 772	3888	chrome.exe	88
PID 3888 wrote to memory of 772	3888	chrome.exe	88
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89
PID 3888 wrote to memory of 4704	3888	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://contactmonkey.com/api/v1/tracker?cm_session=08673eb5-8436-453b-a458-578b8ffc7145&cm_type=open&[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3be09758,0x7ffe3be09768,0x7ffe3be09778
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:2
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2664 --field-trial-handle=1952,i,4164800100868838398,8555746847871149393,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
1b2941f8a67d2b4a5295144b57e269e2

SHA1
2ab8ea910238f749f28a1c6dc83f324c00687fa6

SHA256
c8e7eaa9793b29e913d7f0364e9f637142908504ba01a5ed25beede2dcb280bd

SHA512
155075ff238b0cc8f4cb7d88d7916dd52d211aad1885bd16fa5d33a69c8ddfcc2f29d99779120ea2e57e428e3b1a8f44fa6da0a36b72ca0f0146190297ca0735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d6ae1b238e493e02363e12cad0034178

SHA1
2b66e595f17e97d25967648ba6f28173c8cb3d0e

SHA256
abc8159db86f0d44b56be16716afb78088eaaf609307fc7523b7712556061423

SHA512
ae90a25e777d654a9bc7cd83e40c1c90cc9e7a253cd38db0398573da42d1922f2166920ecdd8aca4fd93c83c4062e4b7f30826dfcf731218ea3b38c5e11bd85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2d76342061d9184f8a97bef8ad945965

SHA1
1016fb29e6505efa558980c2dc68c64d086e60b1

SHA256
75244526eb7995ea8d55d1d54aca9fd227a9139b93e0cd9a64fa922c4b2ec939

SHA512
e67b7b239451bf4356510c47c89f88d3de312a47c7eec46d990b6ba9b06f5b56d7652c5e0454485e328b549fdf0f7e9512563e85c7ec464d8f49b73708520b45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b1f3d60a8aca884f9fce9b5aab131c8f

SHA1
88c3bca652861f432d756ddd5f853c884aa79d02

SHA256
4c1ae0aab57fdaa693fb8bbe51353d0dedc1acbcb6616533b47a4e5676e57bc3

SHA512
9147c9753a9b1e0472bb364204607c8bf108d88cdbf95e8247be69da81d346ba5bcdeac439384691196113b9d9b0a59ef49f388ed4e9aa1861d0a550651f28ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
e238fb7b1584667a535e09700fc52721

SHA1
615b4d2981a216547efc203e91117ee4ee04f19f

SHA256
92f4c012f9807d40b7af6850898c77ad5ab500e40e53c260fdd3432b7e064536

SHA512
936508ea90c940289c7272d6865057a74c5225306ffac7ee998ea278acc8d72c545af7388cca5bb6b8687815bd12c367b5e4094be46e12a2ad0114ccd83baaa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit