hxxps://offers[.]sheerid[.]com/uscellular/employee/?verificationId=6508520a604f9739451d9da3

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://offers.sheerid.com/uscellular/employee/?verificationId=6508520a604f9739451d9da3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133395242510711128"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 5020	2736	chrome.exe	34
PID 2736 wrote to memory of 5020	2736	chrome.exe	34
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 1920	2736	chrome.exe	86
PID 2736 wrote to memory of 2860	2736	chrome.exe	87
PID 2736 wrote to memory of 2860	2736	chrome.exe	87
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88
PID 2736 wrote to memory of 4884	2736	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://offers.sheerid.com/uscellular/employee/?verificationId=6508520a604f9739451d9da3
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xb4,0x114,0x7ff8899e9758,0x7ff8899e9768,0x7ff8899e9778
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:2
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2348 --field-trial-handle=1848,i,3412689911603977840,4596873489276873947,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
6bd450c5fbb7a87a3e32df20c02d2c9b

SHA1
78d49640405ec6e00e3cc89ace657288cb135c21

SHA256
9cf311fe09c7c3be0071f6ce9bc93f1230bae30041f74aec6df43f2d9a71f81e

SHA512
a4c1ce228522f62181b92ca09fd2c518cd2faf7eac64b58cfb0c14433a24849618e6ca0066b953e61687689ac546fb5dc8062ffb806002e0400f19f5dcb65c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3b660eba-54eb-435b-9339-d035709d3570.tmp

Filesize
1KB

MD5
bd58b050d09734bfa72c3416c707518f

SHA1
dd73774e7322dd6ec746f8af079c551310ce438d

SHA256
e61d9740e0422bce7cc904318ac160ba53c90606d807fcf1bb7ff9008332b46e

SHA512
6c2eee7923e839e25280c649581fbffd9de52a868e01efe6e2b3c3256a59fb45265b76a729ae7f9d33565a102af169b4e0a658d097739aca9ba9cc65927743b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
035b9900d23cd081519cebb2dd04a681

SHA1
e1e80fe8ca0f14e97d033a7db78517b03aef749d

SHA256
5f8bb292f20810e0cb7c6c69d43f2a9639c6e55a1ad4d48967c7e2e254bee96b

SHA512
2c20a1b5433e9855626fa2ff2f3bae4c872e319a523344b7e0d1062b0ca425c9a778a8be6eafbc28fb399c1ebaaab87a0ec3f28b2d04891caca394855c6e743e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c25fbafcd53a725fd1896f84a733aeb2

SHA1
960f79b7cbeff9f13681b64480e79e45a126a618

SHA256
72412141a28dca9fe86dd7ed4f7163375f5fab54cfa2dfd63eee208b1aa84f92

SHA512
d8585c3de076b2d5d5a2a9d613c350d4d9204f8eae6b3a3841a6e6d36879b023062d24956fd069dea3322869cd8d950e3b41a729d0559ac6ee0e9d5358dc207f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
552543ccbd176a6551bf44f9c9b5719e

SHA1
0512009d055a3da93a324f7d4cb4659d856442b2

SHA256
2290b02db3b3fbdacaccefd88254c8892efde56dd37925d1a9af23a42344d348

SHA512
7e0b1cb90ae4b40bbee5b9792aeb0c9441cfc50dbaacc155ae94b327bf0b08d8a1870a9f8394a0ef278168e6fc6e85e83f5fc1f66ee282423fde39fd6f8bc375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0a9eb938101ba36a94c953b1d1254520

SHA1
8e20f57fd939c1f0a1d6194decedb311b6683d83

SHA256
85d57bf0e61f393aafd15e1e9475fd393db6157c1252bb3d349f85d3e546a3ad

SHA512
877e32b722ce7ef35bb24458eeb775927a86a2052aba391c226677e684cb80d860252ca0f1066f38a4bb72c8ce2f11f6e1a0bf5c36f8013a74af5f2c273ccac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
c9a191fe3ea8a422f188f2fbf883bae0

SHA1
b4cc58c8d803fcdc398911141a04f25a9b7d9290

SHA256
f6967a5b95dfb6118ac0638463574ef023a188f49a5fdb4b66d46c3a6b0b40d9

SHA512
f894f31504eff1c9c2c82be8b9e8d4a2ec96537b5299fb258674d5138dbeda06f01a0a13cb33139c56e194ec09e680a8efbc0bec6c7a3fe6f953bd3e1dcdf7e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit