Analysis
-
max time kernel
299s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2023, 22:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://zoom.us/signin?zcid=1640
Resource
win10v2004-20231127-en
General
-
Target
https://zoom.us/signin?zcid=1640
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2288 chrome.exe 2288 chrome.exe 4548 chrome.exe 4548 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe Token: SeShutdownPrivilege 2288 chrome.exe Token: SeCreatePagefilePrivilege 2288 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe 2288 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1932 2288 chrome.exe 38 PID 2288 wrote to memory of 1932 2288 chrome.exe 38 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4908 2288 chrome.exe 84 PID 2288 wrote to memory of 4404 2288 chrome.exe 86 PID 2288 wrote to memory of 4404 2288 chrome.exe 86 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85 PID 2288 wrote to memory of 1344 2288 chrome.exe 85
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://zoom.us/signin?zcid=16401⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbe5b9758,0x7ffcbe5b9768,0x7ffcbe5b97782⤵PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:22⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:82⤵PID:1344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:82⤵PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:12⤵PID:1964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:12⤵PID:768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4724 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:12⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5196 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:12⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:82⤵PID:3216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:82⤵PID:3396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4616 --field-trial-handle=1896,i,2795324072507361005,13252750181249964631,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186KB
MD59f61d7b1098e9a21920cf7abd68ca471
SHA1c2a75ba9d5e426f34290ebda3e7b3874a4c26a50
SHA2562c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71
SHA5123d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029
-
Filesize
720B
MD57b0b26ba8ae2023bf58ba85e3d9fb7ee
SHA12200b06671039cd2d1b8cab14a0822666fff8d52
SHA256d198c7cf83866984955a9495dd59c0206fa3dc248c623358c9e8ca2e1bc96897
SHA512a459f74eedc9290b34b157c64c07b2495e0bd968f9a0d0b4326e490e50f3114a01a6378edc28af036b6d41e9a6b8ba0a88f19ff99cd5d0fe2a84c0e4415e1622
-
Filesize
4KB
MD5bb6c022f9142fa873a1ebb070c2243ca
SHA1ba8dcf37ea515e7a9194235eff3a207f22606eae
SHA2562241140733a96b81991c792d5c999e7a3fb8a3c998b35f9b30f3f5b069fc8985
SHA51297a8ccbf9464d879a4f1aca1aec2f1926c299e33f67b6ca16165486ca792fa3222f964ad4136afedd23f2cc462d03ad419226ccff327737a0f905b7de467b296
-
Filesize
2KB
MD51fcb4c821be9010e1a25cb866cd1fe3b
SHA1fa1dfc69c1519fa00d7668e98f1854c7b8cd3492
SHA256871279e0de3a193e0bcea842d0979bc7ade07308cd1b4bcf671355e915df2c4d
SHA512ea130a13f3ea0407dde684cec1245a1bbd7b47235d034676270d9cf942a2d6f79f371d678d33f914e8c4520735ad1c35f5e6c0388ca44113af048d11a07f22ba
-
Filesize
6KB
MD5c8b80ce3f895fc5743e24e79fd7ae37c
SHA17fe205e1f5243f67a772f82275cceb7b87d565fa
SHA256efc0152c9d462da72e0d175e04cc3fc2c0f8e3bb7a4e8faacab3c016c49611f9
SHA5126988528ae869065d896ab2b2071618d65c02771331b9a587196f465701556e8a4894b44c52bb6e35d6cd368b21459135c1f4d3b183476d26f43caf15da44881f
-
Filesize
115KB
MD5d41d64420849bbfd40972120eaac3411
SHA1ee5fc129d13c8552dff957cfdaa63773f53a8200
SHA256abc1913affcada6a670a112ab7deb7eab252d67f8883aa2625189731881d5e69
SHA512a4dfee8699f186691cf065202f5ceab5ba77fb8f8ba6b1560c775f156d63fd79b83e0c27cbf0b31775d025a0d9fb1d7cd179243fa4dd9f86de1ee577bd3a1b94
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd