hxxps://t-trg[.]email[.]adobe[.]com/r/?id=h50a26073,8f13aafe,8515183a&e=cDE9OVJRTTQzOTk&s=cU9kt1kTV1rM0MbBJsu18pOFa518ARXvIz04aVFtCp8

Analysis

max time kernel
600s
max time network
490s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t-trg.email.adobe.com/r/?id=h50a26073,8f13aafe,8515183a&e=cDE9OVJRTTQzOTk&s=cU9kt1kTV1rM0MbBJsu18pOFa518ARXvIz04aVFtCp8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133446616011630773"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
1872	chrome.exe
1872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1900	4908	chrome.exe	85
PID 4908 wrote to memory of 1900	4908	chrome.exe	85
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 3584	4908	chrome.exe	87
PID 4908 wrote to memory of 2232	4908	chrome.exe	89
PID 4908 wrote to memory of 2232	4908	chrome.exe	89
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88
PID 4908 wrote to memory of 5816	4908	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t-trg.email.adobe.com/r/?id=h50a26073,8f13aafe,8515183a&e=cDE9OVJRTTQzOTk&s=cU9kt1kTV1rM0MbBJsu18pOFa518ARXvIz04aVFtCp8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4c019758,0x7ffb4c019768,0x7ffb4c019778
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:2
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4564 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4956 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 --field-trial-handle=1868,i,2002073812280422552,3094827209064015813,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d1aed59f218f1f7c720bbb0d80e2902a

SHA1
ae67632dadb4fd39649ba0fffdff8d2e0147616b

SHA256
eee346c54c4e6b54d4bbeabb7487099d2e420fb1c68093c9d5fc17c06b9bf901

SHA512
7a20d7c1a1416b49a2b2e549865f01f5f2ac97c13f058be513afb8d8c1306ebe94804172bcc105b34c53764f2ebaa804c35c4040ca19c197e2f0044253b344c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
700B

MD5
6d062add36491e24ef7499b2a14f79eb

SHA1
2948bd9e81f826a4001281f33b23a9b9b3d6fd88

SHA256
15e3a56c3c19329a19a437c1c6e73a8be59e1cb2ce27941d8f7d069a381790ce

SHA512
6f532219f8d78488b14f828ce98a2c540f49bbc4d02c9ca8394c8694e518fd84ab23f947cdcfc452e80db1c29244576388c84f4eaddea1e160e82aa81f74e517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5e358ae45baa4d85e8756ac7f26a6c19

SHA1
9af11eeece598fccbd481c252e898009123dc53b

SHA256
32a896a0c0ebfa38399ce1aa2647393854af7373aebbc992607a56319a7996f8

SHA512
ebce35ede2c7270c0a4bfa5d1f5d1e88474f590b9263c86da625f97ce76aba4901e4adc47c8cda0333dc88a5af10e3176bf02d29dc49c375f0a6bb32a14a1cb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
9cefc75f76c68f928db3cd834494e2ec

SHA1
f142c3e13322067a84145eaec6cfa667534a7975

SHA256
de9eb078c24cf008f6e872ad073c92c75e7a099920cbd2ab4bed6c6b304e037a

SHA512
7b1a658e6bd4a15d8062caaac6b95df33765a0c7159cec8bbf446095243457221ce39f1fad5707ffc2d260a29bcbe534d497d68566c915f710057b39842da04d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit