hxxps://google[.]com@office[.]com@adobe[.]com@docuauthentications[.]work

Resubmissions

02/10/2023, 13:03

231002-qad68sce85 1

02/10/2023, 12:59

231002-p8k7rsce74 1

02/10/2023, 12:52

231002-p4a61aah61 1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://[email protected]@[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133407252214377140"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 5108	2356	chrome.exe	47
PID 2356 wrote to memory of 5108	2356	chrome.exe	47
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 3136	2356	chrome.exe	89
PID 2356 wrote to memory of 4088	2356	chrome.exe	88
PID 2356 wrote to memory of 4088	2356	chrome.exe	88
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90
PID 2356 wrote to memory of 2724	2356	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://[email protected]@[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaae1b9758,0x7ffaae1b9768,0x7ffaae1b9778
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:2
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4532 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4792 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4804 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3340 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1560 --field-trial-handle=1940,i,15608715501829276381,18217725812936947152,131072 /prefetch:1
  2⤵
  PID:4180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
e9b48302127460758680dd27de87d6c1

SHA1
d0b3cb63bc9973eafdfa7e658f0530cd6f6319a4

SHA256
f29fdd48ea316c9f8887f5f2e7b6f65b94f11786f87bce18dd628c4c9ea2f08e

SHA512
0405ff95a9d7cefd583e2a2375346fea4383867353faa75c7b89c53c4f9bab362b97e212484b24e340c65e0e3c7e0249df561b4aa2543eed111eb9b142921dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
646cd1d72d646aff1be0e896bf6e2eb9

SHA1
36ee8ed9c4c5e1fc23705f9d5a245fffb53d46e8

SHA256
b01bb17482912c6bae18eaf0b353de9ced4b41b328b4c8ce80a22536689c53d7

SHA512
458f040a8cb30203adf540c035c367275989ffce7f725cd2420fdd8e2a993ac612189900b3a745f760b40da5e7b44d7ae0d3fcf4c2a2b52dd81575e5878b671a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
dbd57853c859f76144dae4e7740790af

SHA1
aede18a48ce27a62dfe7dd7fd086355ae2d65aec

SHA256
c053be30e3f4be86e30cb04638d76c9007dd400ab0609386965e796768bf1083

SHA512
4098d2cda76554e63b44695e441dbfd143c89c92c64c71dd159aaacb29954267a28217ed0477d560e024d133d430b1263465d53ca60d67f297b2e485f91554b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
13696134215a99e282af368bd09d2354

SHA1
ec8c5e946d839cfc21e4cc42e42431cb4a5bffdd

SHA256
37f63334258b38d56e280a58f9e4cd2369bba99ab96a6c8930eedb994ba1dbf2

SHA512
b83c0b3af34ec39a948c53ec5aeb7f16e764b83496e6138c62695c3f67d6cdd82bf74babbe829db8c9a61cbaad1e48523f08b87508eb2ea15255085c9d2aa9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
ad32b0bb5d0defe5cd85d8a81dac9eca

SHA1
8276e1f79859dcd7a3f1479bd9f3fa76f4346fcb

SHA256
52b93e944b9ed2ad35cf08ee2f9e9c10515dd898c715031454903b540684e7ed

SHA512
5b833de93e12d7e1808c9054808e52c93accfbf0e099f983050de2170ea8c95f37263e454986fab0a4f9854f8d629bc37816b9324ba60e8568d3d93ff63b2533

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit