hxxps://forms[.]office[.]com/r/qAh3Yzyf49

Analysis

max time kernel
195s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 16:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://forms.office.com/r/qAh3Yzyf49

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133435016858744858"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3596	chrome.exe
3596	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3596	chrome.exe
3596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe
Token: SeShutdownPrivilege	3596	chrome.exe
Token: SeCreatePagefilePrivilege	3596	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1332	3596	chrome.exe	68
PID 3596 wrote to memory of 1332	3596	chrome.exe	68
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 432	3596	chrome.exe	88
PID 3596 wrote to memory of 3620	3596	chrome.exe	89
PID 3596 wrote to memory of 3620	3596	chrome.exe	89
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90
PID 3596 wrote to memory of 572	3596	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://forms.office.com/r/qAh3Yzyf49
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c00d9758,0x7ff9c00d9768,0x7ff9c00d9778
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:2
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:8
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4660 --field-trial-handle=1872,i,7352770719217551725,9175235806984551202,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
bd41b5431ba348a7c6c7993a6c2b8c0f

SHA1
7d1d1884b4fffbb48847b1a4b1ef72dc088a15ec

SHA256
6c07b7768c8a72ca568f51639181436dde946a79856b21a8e18c45e1329caa0c

SHA512
f67ea1987b69ca267ed9cf8a97b60ec6a672ad69508a55052ab0314398c434d3e42a3a751cc1521717e078199af686321e2fcb39e9689157fce4ddd379c0d738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e987aaf647d3be141d6211c612918c2

SHA1
13ba8d9a44670af2f7632595175c750ea845a326

SHA256
617c80b2aad6a2b091648f52c08c058d69a56baaf6369e29ebbdfe5c0cebeefa

SHA512
5e1199f8fac988084a30c8afc173777708757fb4f7414993826d81dae95d98f0cb2794349d5497ef4ee112ebce5b5db906ae1ab1cf0af35aa7652044bf6bf727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
46a27ab43ee9cc3790ccc78fe7766863

SHA1
c60373c4077e1e46396dc2dd5a29d3cc9600a216

SHA256
39dfdae099fd6cdd8936458366bf02e580babc6c6f81c056744ccd0c04cb301f

SHA512
1890d6d4e5e82b6068027db2f8ef572d0752afd0813b82a75664ef1f036a31550396ae409536d8a4c8f37e5e11f9d843e536bb1961c1f6ecb61533cab35fb5f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
749fec8a587112163a0f3918a2a04165

SHA1
efcf4b8f8791d39a178459fc11a784d7f989d4fb

SHA256
4efef02b61a617cf60e6d45d3aa92593a18ac00ae3439548449810fc0938486c

SHA512
2b2f33dc99ec43a1bc8bd9d8bcf14c2245b7e3a3fda536de6eb462139770c2c716145ed2c5636f3c17290680c21565440bf93768f5d62a96ad26881d4d06e1dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
1ba525de32dfa29249a1135c9e7a2790

SHA1
fa6c325e83b503abae74639d24e7c60f45a55580

SHA256
05658392a1ac5465c55993e385b0abb31590eafedb79678985107a99fc6ed82c

SHA512
c2ce934156dbc7c2f0a15f1355058381347e9faf401cb97d2242f77b3fefdca18b3c793d6861bd59570a37d55bcf8b0f697bbfcf13219edf57b44df145d62cca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2fb628f97673ef29ed64535ebf695b7b

SHA1
62dd7490637a5816472942189644b465d7279680

SHA256
bef7050cd86586a2068ff0f8a40db99fff6c0621cbd1ddd05c1b164379d4d130

SHA512
6e070609dc4a314f70731a46169c260eac26eaad089342d4e5e0499ea4a6d5abd036abdb41e55c811a3cdbb9b2e091ae88c0c435a379f838167b1e02bbca00b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d167feb61fe96b9f4e5fcb1fbd7a6e73

SHA1
83e640de7baea60c996967d73ae5acbab8d56893

SHA256
0c42db4c9bf7ad9b697d62ee81823f9580f2d4c208590fa4620a3e439f17e93f

SHA512
1b254022025dd15adb6536dfe22ee9ca6e175e893bd1254037eb0d6f97921a3ec8d10dfd128630a2365f769772521f06b1eccf15f62f4d29fba374fb1cd13aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
e185720301ab7da6ac49071d505895ce

SHA1
ac4ee99d22108762a226669332d6f69fef665808

SHA256
515afdd83bb356316687bf2940e84eedb9938120fc43151394219000f120e12c

SHA512
e44fb46598c2259557c3566017a525ce6e3eac872e758ade10d2788e1bf2b0add1349aa49b7948e47ee3b56f84999e1f2c8f7012b74aea07ba4b0f24312357fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit