hxxps://www[.]marcusevans[.]com/conferences/supplychainresilience/delegate/agenda

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 01:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.marcusevans.com/conferences/supplychainresilience/delegate/agenda

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133444003974857714"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 1768	4408	chrome.exe	14
PID 4408 wrote to memory of 1768	4408	chrome.exe	14
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 4444	4408	chrome.exe	30
PID 4408 wrote to memory of 3436	4408	chrome.exe	29
PID 4408 wrote to memory of 3436	4408	chrome.exe	29
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25
PID 4408 wrote to memory of 1664	4408	chrome.exe	25

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff892569758,0x7ff892569768,0x7ff892569778
1⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.marcusevans.com/conferences/supplychainresilience/delegate/agenda
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:2
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1864,i,9403493732077415879,9057766456782599450,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
bfdf5d30882db380bf2d01a78db0ea07

SHA1
687feb7b395a967ade80ddc50b1c7b8a3984af56

SHA256
bd05875485d76f78990c936fe01caa1732988dd927b2467d3021253fadc4d403

SHA512
5cf8eff7f9168cf793d7d9304c661aa69c9c762bda808fac74959480503f0b8df5c8e55056a2c794bb7295199fce184341f0f8c1bdc3a616db86855656c1cd43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
13d6d19f3011eb84c5286f5d578399bb

SHA1
ab5dc784c33df13c2376bb12ffee8331ddfc3f4c

SHA256
109718d9cea831acd4bd2c803797b15d673507c792391ac52a723ca40105cd57

SHA512
da95d9d7d9a74ca70b58887943bb41c261eab6869517eeb5a8bb0b58e190f04bd036c39a9be2a7eacfdcdd4cc4aa163d9357ad54830d6cc4d59a8655487b527b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
5e4fd57ebeb19629e4b721d234e5b5db

SHA1
cd321585f1a513636f6d75b66f1309b4e1f4af95

SHA256
15bfd0871d8f94c0fff359c4e2a9b934163048a0aad4c13802f06505651e601d

SHA512
bddd41635e8889e550454d597947d14eed5a69f35a2b49e1e617518fd69e0d454009f39dc6c2bc95b596affa46cc73b90b77553fe67f880910a9190d6e7733e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c1b5e6a5-44a1-41a8-96d2-7ac8c49b00a8.tmp

Filesize
6KB

MD5
63a739fdd202ea303084b33cfc919f81

SHA1
54fc3c4857dee34b5a2b955e4676671f85e205f3

SHA256
18063dccbdc7900eebd342dade5d65f1fd4f588b2acf881a2b1050432d808b3d

SHA512
1a30ba4b6761048662db81d68a081b2027095ccba47f638cb5b1663f0a84b405a65e7dccdf7249742bd1857c85745efbb4e20ada20f6b818dd1d3a4c30c79c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
8b2a2b2d3b26fea4ebff3250bf91b0cd

SHA1
8d54e6e62674b45c62ff8dfea30a892b45d1524d

SHA256
60604b0f182b6b6273d1cdee5f1a38fb158d2100939aaf47af16f486b29c8128

SHA512
91c148e90d954e8c365436cd651cdc5e93ebf5f1fc5e60354b756b91006bd0183385c79c57a330613575b1182d3b9f770c6acb9efd23355cdca8885dac47f2de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit