hxxps://bwf1[.]qualtrics[.]com/jfe/form/SV_1Bqwu9L2aNimOMu?Q_DL=KJcVlTLNThXMI4t_1Bqwu9L2aNimOMu_CGC_Sqkk1ARpq3luPMp&Q_CHL=email

Analysis

max time kernel
149s
max time network
135s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
16-11-2023 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bwf1.qualtrics.com/jfe/form/SV_1Bqwu9L2aNimOMu?Q_DL=KJcVlTLNThXMI4t_1Bqwu9L2aNimOMu_CGC_Sqkk1ARpq3luPMp&Q_CHL=email

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133446343476940633"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1120	1560	chrome.exe	42
PID 1560 wrote to memory of 1120	1560	chrome.exe	42
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 2620	1560	chrome.exe	74
PID 1560 wrote to memory of 1124	1560	chrome.exe	73
PID 1560 wrote to memory of 1124	1560	chrome.exe	73
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75
PID 1560 wrote to memory of 1556	1560	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bwf1.qualtrics.com/jfe/form/SV_1Bqwu9L2aNimOMu?Q_DL=KJcVlTLNThXMI4t_1Bqwu9L2aNimOMu_CGC_Sqkk1ARpq3luPMp&Q_CHL=email
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff885c69758,0x7ff885c69768,0x7ff885c69778
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2884 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1704,i,6167246001809599211,7498852214197559960,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
6b1ded23068788f301a3995391940ae3

SHA1
c3ec2ae59337349cafa7e5632952614016311d2c

SHA256
726641e064f1f361398a1723440174446af07404f6d5d38d67a94d110561b99f

SHA512
611ec012d355f78624bae9bfc90b09aedb5b674d8c43fbaa28b674366420183518ae856004fff765423c8c56f4247871b01b560ec717ac9bcc8d4efc8f2e9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
71498e2302f9942f759f1751e113beed

SHA1
c9fec41bb8e8c487965c28754df10ba25676932d

SHA256
39516fd848cc11d7867b7b5aac2608f47758c0eb2b99ea5516e50822ec52a695

SHA512
d82f737623f18c0993402bc0a9f9316320169cca465ce5d010c9d2cdfc8ae822876f921dd5374e8ce62c8d58c7924bb4072ee25a1a8c872a65415af8fa8be0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ad0cc53e22b2c70a47be8283020b1c75

SHA1
bcb835430f54efac489e5e38578688599dc11c13

SHA256
6fa44ff50d57bb861198c1eb8c358af4ef4356e1e4e6ffe0970974ca356a97ab

SHA512
d6728ed84e6d054584b18857be0c2da3a264ecd3a54c224fea39fb1f84c45e1ffe7171b435a05e842c92944361b5de2d15861d331f185a5d906ba0f90536f8d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fd8ab097975327f92e88b574382cf7cb

SHA1
ae518021966010a352ee34dffb58833907b15fb6

SHA256
82b7200a95c794473f0cc45970df836fc32d767b38b151c3a488fed55e8a2596

SHA512
b06418e8f5ba91d966b0cde10e1f704b0918f844577b7e8ca60e80e577ecd9b10a7a1c76dd85d3f79d11cc4b8a68cdd16812b52395394dc35976b1567ec2b539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b0e6c076db47de877489e73bb6e2986b

SHA1
8f8ec73f7f8cfa8bac39d29121196db58188a2af

SHA256
ac1be3c0e292248d61f81cf545dae5b54ae1b185ed57faa3aeb9950ed39f7dfe

SHA512
86ea0100537bdd43a54fd705ce04d242af7d0b4152f448ab385f173876846e1a2c93986385e6b9fc729ee58e9e8fb7cebace72b45309d96b13382235a6830f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f976f51e5e7fb1858ff80c1629c28866

SHA1
4500d18ed6acd384726ac237a376d14b6982dfca

SHA256
6c4e231708290bae6288a038641e6bcf09259bc99a86ae527fa89fe9f0e899af

SHA512
8b06dfbd54b86a3a906ae8d60e73190682a76d85e9fb65d7509f2393e0f11f2fa3d7c5ea88e1baa509b725bcf30663a5d7b9451a6393acaf28831d7a9f560156

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
74793639487529b22ceae29081969352

SHA1
8f1f861d1fac14e15cee44fb457fd2cb14cc6dc5

SHA256
d49657a2f8041b7a73e0df83f1f9dd1dd1e1799d868485dc4405c5e5f9242e33

SHA512
938556ae6b5847f1bee8da3fbf40cf2e66bfac8201c4321c96879ecd2c15e86dd781f229bac81fc6a12e017354b281c2b6bf2164fbf62908a6abef1412039f41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit