hxxps://go[.]alacriti[.]com/e/1004322/-source-email-utm-medium-email/w15b/112375512/h/mUfDwOohsRmxD8isa_eKAuLeijHxh7HWk6RzNR5WN88

Analysis

max time kernel
1199s
max time network
1168s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 20:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://go.alacriti.com/e/1004322/-source-email-utm-medium-email/w15b/112375512/h/mUfDwOohsRmxD8isa_eKAuLeijHxh7HWk6RzNR5WN88

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133443807212151028"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3116	chrome.exe
3116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 2872	3984	chrome.exe	31
PID 3984 wrote to memory of 2872	3984	chrome.exe	31
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 2616	3984	chrome.exe	88
PID 3984 wrote to memory of 1184	3984	chrome.exe	90
PID 3984 wrote to memory of 1184	3984	chrome.exe	90
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89
PID 3984 wrote to memory of 4196	3984	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://go.alacriti.com/e/1004322/-source-email-utm-medium-email/w15b/112375512/h/mUfDwOohsRmxD8isa_eKAuLeijHxh7HWk6RzNR5WN88
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa50149758,0x7ffa50149768,0x7ffa50149778
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:2
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3876 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:8
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4656 --field-trial-handle=1884,i,14489259862418431784,13908337833349132690,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
810c7712ba9a0b417c5881da6ea24523

SHA1
3e07cd87c13a354855430d4830857ecedac85bb6

SHA256
4cb25c271f36add5da191bfed515f4d19f8457ad48022768a34821a8e01e8235

SHA512
4fdd9117ae3e8fb79356efdaea3d9e615769fefbd2716c68a2978c7528c469eaa61c313e735eb1b211da8f2467b1687fe03389c5f17025172b6124e2e119b536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6d961213dbecb964ce2212b41a39ac5b

SHA1
122b69a1fec3f9f559f2f02a8ea34cd22214f1ee

SHA256
8c33c77e507338fb8bd8a29320841f89f6b190d077c2272aaf4d79ff7fd40594

SHA512
6c0bf8b040650a9e800a74953319c7e4c598a73010f9f28600c092dffdc32beeabcd084fa40268dc3b7b24472c35fb042ca05d1bc8a230d117dbdc5e7879a357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2c124d5c9211768cc04b323c24daa6cf

SHA1
3d9a589f1f9517b4a48f988b1461c77c9e946c04

SHA256
febd3d8f76a5323e5feaea293441f10f0a81b0a093143232e32b350ced71eced

SHA512
93d5b4db71dab2cf289f5ee615f7810c806a3b2a8f505a059649b4b5f3724b5b497cc5cf694a9193ad5c02f417d43683b30442793a0f0fa4544fecdeb06816d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
d01f8638cad28cf9294afffbe2c52d91

SHA1
50f9ffb69c5d9ae1c75a651305d14bcb5abe8b8e

SHA256
cabe6108cc83fc6cce1ec4e08607b76a3f0eaee54b6d7839478ac0c18559cc14

SHA512
ae070e490748a2977bca50377beca827c974c515bf980b28bd55a85e8ea8e8a45f8688607c15a397613611610b79ea167dbb68eee71ac0bd05266fac585c1354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
250ae7760ae4cd2a9c48d29b796ea171

SHA1
a32af4dc2e2357f93528860dc55a7dc961373d7b

SHA256
7118ed5f7d7b9eaecaa793e2d9ba10b3e42b27fb4ab2001a010101c41c46b87c

SHA512
605a2b8e65a317d9efd4891e76212c2e61c3d07c0bd5bccf29559fe4ac3e6d8876f5fb8f78ea156600570e3ecd19297571ff11f52952b5ffd6232769b0e69165

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
08ea82a04d796df4b1bc806edb61a98b

SHA1
432d52f786e2dd493c73763a4536ab6a2d836749

SHA256
47ff79ca57029bea1dc007e0320636c554393c5a79d3a3f1dd45b494d240ff97

SHA512
1da9aa0d293688bc80fb316fce4a432fe9e4d76159db22bf324271a5c30fd61dd431d6328b0688e723af926d871c9d4570441e29711ecc2f5027104377ef8238

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
72f7803b51793f65d66d81ce7947112f

SHA1
be7d291d44a8321ead0a49919a44474cfb49b28c

SHA256
bcd76dee7eea4ed7b5276fa5d6f2ad1ec75ee2fc2bfd42deba598ff3e21971d3

SHA512
8ad586e38bce22e363ada955b49aae6593e2add2e1f755bc7f02bff4b8c0e41a087bc9dcd08a7437489ff6fe11102f65bccb166059538fb7be82de50142f7c87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit