hxxps://dentons[.]direct/mfa

Resubmissions

16/11/2023, 16:53

231116-vebdcsdd63 1

Analysis

max time kernel
301s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dentons.direct/mfa

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133446273365822188"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
2440	chrome.exe
2440	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4124	2012	chrome.exe	88
PID 2012 wrote to memory of 4124	2012	chrome.exe	88
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 5004	2012	chrome.exe	91
PID 2012 wrote to memory of 3056	2012	chrome.exe	92
PID 2012 wrote to memory of 3056	2012	chrome.exe	92
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93
PID 2012 wrote to memory of 2996	2012	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dentons.direct/mfa
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb12de9758,0x7ffb12de9768,0x7ffb12de9778
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4712 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1740 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5116 --field-trial-handle=1888,i,2498019215346239232,2734286180184534355,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
cbfbd0a4e5d8b5ef515b4c970d15ddd3

SHA1
8d193141641a38881c75c5e38dfa257f60df6983

SHA256
cc5efdb042e79672bf92190934fad72f0a1eaa9cf35036241306070b40a1b042

SHA512
e58e967ea35e0a85101301370cf8a903f0543fd398da848be8600dae40ff9052943261a4252892e6378676f59ca0368d341a69a8c4d0df928518a2276aeddc66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f829a5f42cd2a84894a606716d720c8a

SHA1
8e31536050e731e30546f5a6d4ec16a8d44a63dc

SHA256
c0c549437cc8357196444864c2149c33c41ec385441e33d623d4eeb898b44f76

SHA512
6b64f7c12975a6daf0fcac4003734744daf52fc12c912ee9da8a62518055832e53b7b0514c9d6317d0b768a8ed0646fa9e9b995c5c3d3b07ccb0e01abbf4a11f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bffb15265884cfc06fa52e5e2c995507

SHA1
96a7602b9cdec3d06d37864d2536340a4a61b266

SHA256
2737ba2e63d701444999db17ef070e6a1d641b21c41c73d8e614c1d8758817b3

SHA512
4479ac37c8437c238ef5703c4e002ba756a94f47748280bf2f6500684cc55fad1255240d4e0e079dd56220e52371810692165292ca201bfd45bc99acbc0e8d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2a6720ffa7b4fa77681558879966a1bd

SHA1
d24e74baa7ff15a02898fa258bb7c9f7afe80fa1

SHA256
a251505352bd586451c89a0b8099d2d9530fd1714e920c73581c6b25a41c4c73

SHA512
12687b03df1c07985c03b9dbec66fadcdbe11d5b4a906228e0e7bfc832f07abfaba6c00211343cecec78869c8bb4ce9f73ea58ce1cac448769edb8a85ee91421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3b29a98325604c2c95d891b969e45272

SHA1
3dcc8a4c0896fa477fc565766fa7c477ecaaa698

SHA256
f058b00093bb78a1e2618e157eed8e771bbddf05427d58fb3892252ca68a7d4d

SHA512
90ef9ba47c52df59d8a3dc2d5eddc5d603ad6faf27481a3ebae83d44e4b0a106e644816a7285b67816fa785159de37b3fbefe45f112a2225e51dc06601d0668c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
51f1845aa128bf883684b4ecc064e7b3

SHA1
e95dba3dec318326913531f6fc5f18e00536e8f0

SHA256
140f7b00709887c0ce1039575afdad9f8e0bda303e23f1f335fab6897269f255

SHA512
fa48b9910ec754d5e04f2f2763e36cabccad5675c90d406a9840185a59c60c0c78df2b30d23c50e3332dd1a664a5e2fc1ac3bedc7029cd20816afd6921396643

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
bd621efa4d9e54008fe018ea6d32b198

SHA1
33b6fc2b7fcda8671bb40fe81cac0c51f2bd4af7

SHA256
937ccce10d084bd108bf3ec2cc6a3c77f3b48501a369c61c763547e2229ee658

SHA512
e034ce67b079f6dadb36aed963ab3e05d28588a011398a569a18c3eab10a0240a4c7fdf97ad0425e994addf45c2671f9614edfdbf4ac1d7d659cb318cd2b7e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit