a9ab829005b8c304bdd00c873831d8fff5e5c9417f091b6580f2d4af4e5f4296

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 02:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Employee_SSN.html
Size

37KB
MD5

4726dc039c527584fcc67c69c25b3555
SHA1

7d0c59fb359ca4dcff8058117e9462fe27a9dcaf
SHA256

a9ab829005b8c304bdd00c873831d8fff5e5c9417f091b6580f2d4af4e5f4296
SHA512

d13a906e0b917632ae80e4a8708fffa706fa83ce2e6d39b2e9377d271b71379214241955b7912f856026f51b013ebbf42282969a18ff1821ff5db5ae1c190fe6
SSDEEP

384:Hu3Bvh209aWECcTmfiLK2D8DSsW8CMu5horKKHKMK2pwXAPs6:Hu3BZ20sWCTwdC5szKmV

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133409457154150105"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
1848	chrome.exe
1848	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3932	2232	chrome.exe	84
PID 2232 wrote to memory of 3932	2232	chrome.exe	84
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 572	2232	chrome.exe	88
PID 2232 wrote to memory of 1984	2232	chrome.exe	89
PID 2232 wrote to memory of 1984	2232	chrome.exe	89
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90
PID 2232 wrote to memory of 4988	2232	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\Employee_SSN.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea2209758,0x7ffea2209768,0x7ffea2209778
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:2
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2584 --field-trial-handle=1868,i,874719790365416423,8326935483472171692,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cac9e2727881f7448710c7538d378d4f

SHA1
e74d168ff7535e32105f813318dc17d173af9483

SHA256
1f3d7a6ef8856370222c217fda5c1db0c084897e35f0a9ba9034c9e1feecaf32

SHA512
c594a6701cb604ae3e646456898bfd865bc1298e93d000034a268f4ffc4433feb2840cc5d594bce3f861fbc1e1a227e76d3cbd4c14d4605bfc0f5589b1267907

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b24d3cb92b07049ce8e11a0c75db918a

SHA1
f7182980bd08dae1788beaddd217d70f293740ad

SHA256
16ca5b7a8c1d27664048da3b5a45e983b8082615dc66e68f7f4c4b9e5bb82ce2

SHA512
bca2ba657c947b3bf2135bc8444e839780b3aae53ff0937c5e96fc1932e256acab642032dc35cfc3715ac73c4ebe101ed5ad033767ca6e75dedd95cd791bf8e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b01679be6bf36e0c2fca2c1a368b9536

SHA1
c17195d4cc7f7fbdc121e012a021575446523d51

SHA256
11919217756fa12bd7ca735354efefe012ab619011c2e84d2d794c0f66f9de30

SHA512
0a5519882c7fb759ddd8291e7b30a0ae732b12f7d6164811ed55538634201697d77c4575aff665604fc360ab308ef2cc8cc9c4eec6194010f29fb3db436e73ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
e736f4707209a7167800b9c22e0a1c0e

SHA1
72f8ee02f76d1b54a5e55b3cba92b0ab91c58a88

SHA256
953e90a02899d8f2d4401230e77a00d5803ddc4b07a19388a1445a2ffcf66dc2

SHA512
1422d73877fbed810823270f077ae67f3d1431669a7b77956eeeb427b08f913bcb34494e00834d027837044d10f88e85eaded201358999be3b9714de19e41705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit