hxxps://govconnex-2658b842bdb1[.]intercom-clicks[.]com/via/e?ob=epCMGL%2BcFyoqIPONfm8FEBtMbyZcF4P1H%2BWIroDfQtJqqH%2FmelfhAevbP%2B6fEqxataHJX68AAJA0umdBrkSPHMx4ioVtBhJm5jjwR%2BuKAZwLXBcu28KDiylCu4B%2BaZjnGciz56MQIp9bUUDPwZQ86XYYFUu3VBhxNgXFB8fH1oR8LSVnu6lHEh60oUosOyki5TuFbTbruC1NQHCkrprR%2F95wCfByL6xxCb0VH%2B9onHW5IeOtVNU

Analysis

max time kernel
48s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2023 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://govconnex-2658b842bdb1.intercom-clicks.com/via/e?ob=epCMGL%2BcFyoqIPONfm8FEBtMbyZcF4P1H%2BWIroDfQtJqqH%2FmelfhAevbP%2B6fEqxataHJX68AAJA0umdBrkSPHMx4ioVtBhJm5jjwR%2BuKAZwLXBcu28KDiylCu4B%2BaZjnGciz56MQIp9bUUDPwZQ86XYYFUu3VBhxNgXFB8fH1oR8LSVnu6lHEh60oUosOyki5TuFbTbruC1NQHCkrprR%2F95wCfByL6xxCb0VH%2B9onHW5IeOtVNU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133396639799711196"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2332	1368	chrome.exe	26
PID 1368 wrote to memory of 2332	1368	chrome.exe	26
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 552	1368	chrome.exe	89
PID 1368 wrote to memory of 4416	1368	chrome.exe	90
PID 1368 wrote to memory of 4416	1368	chrome.exe	90
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91
PID 1368 wrote to memory of 4420	1368	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://govconnex-2658b842bdb1.intercom-clicks.com/via/e?ob=epCMGL%2BcFyoqIPONfm8FEBtMbyZcF4P1H%2BWIroDfQtJqqH%2FmelfhAevbP%2B6fEqxataHJX68AAJA0umdBrkSPHMx4ioVtBhJm5jjwR%2BuKAZwLXBcu28KDiylCu4B%2BaZjnGciz56MQIp9bUUDPwZQ86XYYFUu3VBhxNgXFB8fH1oR8LSVnu6lHEh60oUosOyki5TuFbTbruC1NQHCkrprR%2F95wCfByL6xxCb0VH%2B9onHW5IeOtVNU
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff911989758,0x7ff911989768,0x7ff911989778
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1848,i,5587380536094176066,10852823107887211046,131072 /prefetch:2
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1848,i,5587380536094176066,10852823107887211046,131072 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1848,i,5587380536094176066,10852823107887211046,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1848,i,5587380536094176066,10852823107887211046,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1848,i,5587380536094176066,10852823107887211046,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1848,i,5587380536094176066,10852823107887211046,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1848,i,5587380536094176066,10852823107887211046,131072 /prefetch:8
  2⤵
  PID:2644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
507c77e69cb6e9204d8332c05210cde2

SHA1
42d486ed069a07f018fcba5e214f91d9321eb2e5

SHA256
3376991dc15c6b4a892cf596881caa6f304dbea2c4e3b02e50239269b099b471

SHA512
24e69d07e573816172d9a31292d4a99e100278dc16c55bd40b4448a3573994e7afebd637681c2dfbcdaed420733cdd0cfe5226aa164a402f5e6abfe2e298bb65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e02a7f5a23ca710d1296e9093ea88bde

SHA1
527ebc65ccd3d4953584967aaf6111eb2398e545

SHA256
2eb5bd2e1c01bb8e913105223e7bacaf08787a0b9dd5054449cdde34cad27e0d

SHA512
dec9cdbed946a78102c483d0d7b340de033cd845717f3ecddb59ec94e7919954a55610a05c7d2a863866ae919a2efa9a14a2a387df71ccf3291a6f8c9162fa7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e1749bb0-388f-4eea-ad20-f80aa0a5ba3f.tmp

Filesize
6KB

MD5
13a8730b9dd8ccded204cccfdf4757ef

SHA1
cb055b803dca706c4e2863a1028966da0ef1df08

SHA256
8e6c41e29030e4b03f8c70716ac244084ba49f7bf727be793394bbca1e08f1d7

SHA512
ecc4924ad4e8ff30fd4e1877c34cb4b855510637bba6f4964a97343a93ae9c383bb1de695c9656f44c44772c556938986991f13d40c05b2ef17c51ab9459a6ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
bc6d5c4979a5c3c061c996863b81cc49

SHA1
8598155652bcfbe45a4dc8cb5037087511f1fdc0

SHA256
140fe774cb09ed189ad12d5c80cc3c3c8638f4dfbf485e7079c5bad61987b2aa

SHA512
d7891d45bbdc304cecfdedaaec7daf6973ca5abb3b8b583a638b3eb60860074d901936f12f1ca6f19302a6fc4f2da350892912c7bb66a6d7479220409f72aed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit