hxxps://mailchi[.]mp/5098a4829ea4/after-dark-ptn-thank-you-wfd-11480870?e=f7d413b9fa

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mailchi.mp/5098a4829ea4/after-dark-ptn-thank-you-wfd-11480870?e=f7d413b9fa

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133415741116072315"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1320	chrome.exe
1320	chrome.exe
3004	chrome.exe
3004	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1320	chrome.exe
1320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe
Token: SeShutdownPrivilege	1320	chrome.exe
Token: SeCreatePagefilePrivilege	1320	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe
1320	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2264	1320	chrome.exe	15
PID 1320 wrote to memory of 2264	1320	chrome.exe	15
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 5088	1320	chrome.exe	54
PID 1320 wrote to memory of 2800	1320	chrome.exe	52
PID 1320 wrote to memory of 2800	1320	chrome.exe	52
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53
PID 1320 wrote to memory of 5060	1320	chrome.exe	53

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mailchi.mp/5098a4829ea4/after-dark-ptn-thank-you-wfd-11480870?e=f7d413b9fa
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0d4e9758,0x7ffc0d4e9768,0x7ffc0d4e9778
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3824 --field-trial-handle=1876,i,5391735131602504982,2851294778660673080,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
fb8be35b39ca68a0ee3f745eee858a79

SHA1
ad89f36c826e5dd0b05aa97f5cc50dd29f24b207

SHA256
de7f1593fd583dd92e90cd9cebde71c8a773814ef139968510bfc8abaf41d1dc

SHA512
8927dd270f5d157d5e4faefd41548cb73477544497305f8e30c8d4a5573e9c21a7c9f7d39d52265a67d25ebeae71d25fb4191b8e55533c99ab60525eee49d956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bec0eaf13207e6db0c99cc8720d0f594

SHA1
3c46bea48aa681f80b158143c0ce5cccae02288c

SHA256
30e815d77fffbb1816b88b209c0d3396f413cc7a95f486dc912de4cb5fdb3615

SHA512
6e8852a4dbd3d6f8cc5893bda413a563a0224f6448ca93ec298cddfdd06f2a03d40393caa10a6fd54b39fb01a4ffc781a6ac70e2e5c849a8340ba708e612060f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
e48166ba9d2a061c00c9fd64f8008164

SHA1
5ee683c2f8b96d6b41c06ee1546ff14352eef516

SHA256
001ff8ab7fda5e95cf70e5e8e539541606ca8e8454aec8898b02781fc8e0ef74

SHA512
4e5f2942238f9d49c79fc9e7278da3b32a44ddbbdacbaa6a28c18c378bdfa1c7e2abfd2c388a9a6fcd73774ef724ce126144a4c466448aaca3aa3d05eafd01f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0f2ebcdbb65ccb90e68d8081f883a04b

SHA1
25470afb775a21a65fa13a4573feaed027822d73

SHA256
eb04d08927c127b433fd1df4528948c45e114152f257ceaf5381eeaeda8eeac6

SHA512
7d93c5853b95100229f411fb8f8e8e74dc9bd5a659f3cd4a296b57b447190612f69fc5ced8c58e5e73a40eb8ae32b755f7c9e2fdd0a659d452d9d3d72ebc73ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
49e20ffccce28bb4bc08ac9d32c77977

SHA1
5c617c6a0765e9d20ba0ff5a52848c70024e7853

SHA256
2c859f2aa03cc45cb6e3260b81a58180c39cd024a6af2ba000f18e59941df451

SHA512
b0596371797ec7fbcc6f99b2e9e96c57bcd2765b725f499ea82b28b6bb294f3071eb9441db9d1df4b1009bec2e5ba01c75ad80a4a6d64078b0a33f200d49a4c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0e13588011014030c49be9e28dd31d41

SHA1
883cc0c428d82e6204078a11927c51775992aa00

SHA256
4482d0ea66749d0dd99b1e2de19bf6d32d39a5010b6992aa7f911524ec11de78

SHA512
b6d81c7db984813df89ef026d55856338947f45b1fe02960bbb1804b39f9504457c3230026ec07947cf79b0e49a9a156e74b95080f1e647602b960b64b512e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d1a7c73a43605969184cca6dca2d1141

SHA1
4563f36de5b7f35a42f523a26d0f2dd7f42c7d9d

SHA256
bc6b8b588775bfe92f75b07cbf33cacba02637ed0706fbabc7e0c4f3fe523e26

SHA512
26588803cd5e528587dfc71e81bac79614d49c520cbb34e0659dc183ca226fae9f0d0d777d71b9f839df95fc003a73cf9e464287b0b45c382f60cd1de841f84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
3567f900f8f25d4686a74b8d787da079

SHA1
055552a620aff8c24d2e79724896e9a6d63c6a5e

SHA256
8273e488f1431306538073e465c86ddb0447ff2f4300b0fb3541a0693f6eed96

SHA512
92e1ce0e730734ee7e71b6af32b6a754c851be1b4a40004f13cacec082e3607f5d9ac0b8d791cccbd8e26146779c4a3501f85bc658c98bed6e760c8dd3b5f0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit