e73046a28c0736bc881eed591613cbfaa88f370309f745a06f19bd4979e752da

Resubmissions

03/11/2023, 20:00

231103-yqxyaabf64 1

03/11/2023, 19:57

231103-yprpwahe8y 1

Analysis

max time kernel
57s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 19:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

IRS.gov_Form5071c.html
Size

2KB
MD5

117686efcd9ed95c9b7c300854fb9102
SHA1

299c6767032540195d4e0f4b5815f1f03e8d4f28
SHA256

e73046a28c0736bc881eed591613cbfaa88f370309f745a06f19bd4979e752da
SHA512

535e214d9ea05d4636aeab0d383a5e5efe605146ba6522b4525adba75aaa22691f64e76cff32812fabd7349b5cc3d0ddbced8341c62ddfdde11145b713ac0598

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133435150929571560"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 664	4544	chrome.exe	40
PID 4544 wrote to memory of 664	4544	chrome.exe	40
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1232	4544	chrome.exe	89
PID 4544 wrote to memory of 1388	4544	chrome.exe	88
PID 4544 wrote to memory of 1388	4544	chrome.exe	88
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90
PID 4544 wrote to memory of 4380	4544	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\IRS.gov_Form5071c.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe080a9758,0x7ffe080a9768,0x7ffe080a9778
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1912,i,8684328562311899053,7692608156919169548,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1912,i,8684328562311899053,7692608156919169548,131072 /prefetch:2
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1912,i,8684328562311899053,7692608156919169548,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1912,i,8684328562311899053,7692608156919169548,131072 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1912,i,8684328562311899053,7692608156919169548,131072 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 --field-trial-handle=1912,i,8684328562311899053,7692608156919169548,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1912,i,8684328562311899053,7692608156919169548,131072 /prefetch:8
  2⤵
  PID:2460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
7f464d4f8ec377cc1c43a5cb8e763e2e

SHA1
f283d9abb6d03ec2e23afec5a0936dd92d094795

SHA256
3128a265581ad052b6d82a3b0a2d1334d4ad73722a7a0e1e6cd56de3b941dfd9

SHA512
c6f52855d2453db6ded17e1fa45d7ab08b89a515ae57761ef8ff1e8b2245e0ecd192f3949031903aa731a48cfb6ee116033057209bcde4dd19a099a91a273ebc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
78016b6a1b46852ad5de695326d61a39

SHA1
c2d5b8f9d754dfcbfc459cfcc90c903f7c5153ef

SHA256
6620801a5d7a31d393c5107889ba97c503352821b74e678382913a5a6b453fc9

SHA512
f16d89cbc42ff7228e0b362cc23fdb48b8a55f34e464c3455682695b946f394c17f184bcd5e67993866e4b9a2a423a5042016ae7ddf3eddaa83113df87c67484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d91f838a19024a027c7fb817d5070ab3

SHA1
69c15f79325eb27829d9576658b5a835ef4d662b

SHA256
45779a7c5dff1f4ffd5237268f4e6a475aa0ed2f4bd8950a48ed5737102e2b0d

SHA512
e61f7bdfb9d487c01cec71367aba4e38b4a0ee866584b02824751475576abb56d2bc7e394e27c44cd8baa05b6cd5f22b755806f3ce795139ca7b66f0da757d9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
ab27ae86e3c9d3d52b24f4121a670793

SHA1
904a34f6b378ecf13aa9b0634a9c472b5653eef1

SHA256
307f027cbb1d7f5adfd106991ecb66efdb741c09a58084924c529bd42c5e9cc1

SHA512
14bbaecb63be1dbef5d5fa57e58ed81986c22619eb3f27952a104dd25f26a725e5020bc9fc5d76e384d4fb267b9a537692cf91079b2d4f0fd9c2c702d979f8c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit