hxxps://mailchi[.]mp/37bf7751ce28/miguelito-presenta-denuncia-en-el-mp?e=9b2d34ef56

Resubmissions

23/10/2023, 15:41

231023-s41cnshf91 1

23/10/2023, 15:34

231023-sz6znahf6v 1

Analysis

max time kernel
137s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231020-es
resource tags

arch:x64arch:x86image:win10v2004-20231020-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
23/10/2023, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mailchi.mp/37bf7751ce28/miguelito-presenta-denuncia-en-el-mp?e=9b2d34ef56

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133425493101358525"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 752	4172	chrome.exe	84
PID 4172 wrote to memory of 752	4172	chrome.exe	84
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 6012	4172	chrome.exe	86
PID 4172 wrote to memory of 2868	4172	chrome.exe	87
PID 4172 wrote to memory of 2868	4172	chrome.exe	87
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88
PID 4172 wrote to memory of 3852	4172	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mailchi.mp/37bf7751ce28/miguelito-presenta-denuncia-en-el-mp?e=9b2d34ef56
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb848a9758,0x7ffb848a9768,0x7ffb848a9778
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:2
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 --field-trial-handle=1792,i,11195694326862952737,15738473558511919803,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
dc159fe5d37314fb951a5e10fb7a72ff

SHA1
188ffbe0eb9b4453ce66c3f54b23df121661d708

SHA256
2dd57bf2b652297bf24f92543522489e18368215dbc914bf370b6fa21cda6136

SHA512
04db4755411fea28fac59bb7681dcc759930500ff4ef5bcad45e22bf857a3d60ee597bebf2ca1807d9d58023940bd2300115cebfe80c9fdb0f0529afd2f47a08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
245c854006a13930c8da58e504ff4676

SHA1
cb8616e644b698f269e98a8e76a972d7a3e3af8a

SHA256
bbdcf6986e307ff48a34c215ae0bb266803a392f03cb0850bdd00e62fa00c11d

SHA512
55e3c9cd973b0cdee1aefe55ee31209eed54f5d297058dcc1b1bf92d4341c5f397c349aa4331b2086edb52c35c1950c3fa15c1b850641f30f0ddc8f109cff5b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
afdcb1454b0ee2a64435d845a0393b42

SHA1
f03e9d3a5066e120a8364cdc7d813c342e47a110

SHA256
296da2f2e036e42a07d238d911d24c3adc103b4905e4f849415a16c2023e61f0

SHA512
d8f754f7e8fb0294e1b095d5b3705b866559cbb4052f66bcfc1d72119f3b09f9cf7b434c82135994130edb248798d0ae0fc2cd3a76835a760f4852880c7909b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
b2aa81ca12891f159faac14243a97756

SHA1
ab74a15d536522de2c8fac37817b6cb2c87f5b15

SHA256
9ffd314aabaee4f8f6f25075a2df94838fef33a32236e3cc4ebb756f7b1d0a0d

SHA512
c6bef722eb9ae3616f10dd24a2c444e2aad5d2f5d730db0de873b9863ed0db088631d9f5626fa3c5474ec5dceec9f05d8d9fe91dda87fee83650ed8f04fdfcdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit