hxxps://click[.]member[.]americanexpress[.]com/?qs=abd6c4cfa65727fd298d0c929848be0ffb035bffe20e3f66c8336f8

Analysis

max time kernel
152s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 12:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://click.member.americanexpress.com/?qs=abd6c4cfa65727fd298d0c929848be0ffb035bffe20e3f66c8336f8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133446131257265370"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3632	chrome.exe
3632	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3632	chrome.exe
3632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe
Token: SeShutdownPrivilege	3632	chrome.exe
Token: SeCreatePagefilePrivilege	3632	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe
3632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 3056	3632	chrome.exe	28
PID 3632 wrote to memory of 3056	3632	chrome.exe	28
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 1824	3632	chrome.exe	89
PID 3632 wrote to memory of 848	3632	chrome.exe	88
PID 3632 wrote to memory of 848	3632	chrome.exe	88
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92
PID 3632 wrote to memory of 1052	3632	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://click.member.americanexpress.com/?qs=abd6c4cfa65727fd298d0c929848be0ffb035bffe20e3f66c8336f8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc7ea9758,0x7ffbc7ea9768,0x7ffbc7ea9778
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:2
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2804 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3848 --field-trial-handle=1916,i,15565340470596690490,9308522720662171162,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9bb55102270c239c8ee7f1fa6c840426

SHA1
c13050815660b002b8b68154efa32647c1c323bc

SHA256
28c3d89ea29c227ad5e17666b252c2b3d6ac1e1d1566ee87fd4d748142b25cf8

SHA512
2f202b83fce8602fd355853333a5bc86a2b5d591fbbbe685a2b0da2a4f7ff71a734a46ad1214cb89becf6b7892cfba7fe68050615c5e1537765e812ed4840b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
0673ccb32940c840b2f4d98081fe771a

SHA1
a236fafce218ba599fd075610575c9bb928aa1e3

SHA256
42fd93a7902a57ff9e91e74aae554d03408ffa3db582198adfd572510cdc15b2

SHA512
1361e227377236bd6fa158519e1f9404e49392bef6e9d4c8add6e94db912db2cf558645b8de2148c8e7a8470c3fd55c18f693e39e769c1c20e87e000afe7ca26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c4ab005e96eabd05459a9ec1505cef53

SHA1
a7f0485061d769b93af1808a98bc2b5648bb4362

SHA256
2c410b0b0c4e9208d78ef395aca97d07128c7a51017c6feff762541eb29206f7

SHA512
1e312e6b5c1967e9628a7b392b579208458b41d80f01fa10ba61cd05f51a9a1e87cc417410e193fead06dcdda44e79942f7c83377f64b24bece00ec93dfcaaf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
d42bc75d05baa0b83f0e71befd05e096

SHA1
e78e8bdee127c607f612ad8e33a826199e89962b

SHA256
fb20e2a86a441438b81c6dce1af71e9aab1c07f01a29efd909bde7fd0b4c3c25

SHA512
92e7d9c8c2d933ba0da03924d522277d808ad997700e29bb99559c5f50609d0e7d97b46d137796403d1b5ade12f8ece396f69a3d6bba24a2d2b0336fda3ae64e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit