Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-1703_x64 -
resource
win10-20231025-en -
resource tags
arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system -
submitted
12-12-2023 08:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://manulife.zalamea.ph/password/reset/2hLq3R88982eo7L8mCEA7FP9tbI1IrO3zwGmVbsWpNQHQSF8nW0NnsZA1IGAuq360DgiFz
Resource
win10-20231025-en
windows10-1703-x64
8 signatures
120 seconds
General
-
Target
https://manulife.zalamea.ph/password/reset/2hLq3R88982eo7L8mCEA7FP9tbI1IrO3zwGmVbsWpNQHQSF8nW0NnsZA1IGAuq360DgiFz
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133468436013374919" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 372 chrome.exe 372 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 372 chrome.exe 372 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe Token: SeShutdownPrivilege 372 chrome.exe Token: SeCreatePagefilePrivilege 372 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe 372 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 2508 372 chrome.exe 71 PID 372 wrote to memory of 2508 372 chrome.exe 71 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 1428 372 chrome.exe 77 PID 372 wrote to memory of 3320 372 chrome.exe 73 PID 372 wrote to memory of 3320 372 chrome.exe 73 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74 PID 372 wrote to memory of 4676 372 chrome.exe 74
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://manulife.zalamea.ph/password/reset/2hLq3R88982eo7L8mCEA7FP9tbI1IrO3zwGmVbsWpNQHQSF8nW0NnsZA1IGAuq360DgiFz1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffa1609758,0x7fffa1609768,0x7fffa16097782⤵PID:2508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1824,i,2784787083978184293,277012721882292302,131072 /prefetch:82⤵PID:3320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1824,i,2784787083978184293,277012721882292302,131072 /prefetch:82⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1824,i,2784787083978184293,277012721882292302,131072 /prefetch:12⤵PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1824,i,2784787083978184293,277012721882292302,131072 /prefetch:12⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1824,i,2784787083978184293,277012721882292302,131072 /prefetch:22⤵PID:1428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1824,i,2784787083978184293,277012721882292302,131072 /prefetch:82⤵PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1824,i,2784787083978184293,277012721882292302,131072 /prefetch:82⤵PID:1784
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD509b612783b37d780dcb2ae0172e01bfc
SHA11505a255013dbd5b820bca6c1283d1bec9f446a3
SHA2561c67109557325c12c6ba38904c8c6c07d8910f04aa776398ffdd6d80246c377e
SHA51282343b300cd15a9288c1fc563cfa3f594f19d75f69e6c8e8504eb74822590c5737c02717330d760dd24b6155e63649f3cc1a883800ad011f1ff06897257586d8
-
Filesize
1KB
MD54ba6652119a37d6c2466bc940f6041c1
SHA159713c75630fade8f623b8cbb01f7d87609c600e
SHA2566bd228858ad6d63fd3e05abe03113f39df333bf5288be7ef5478b1a2701c76f9
SHA5120480861c9ee7ec86b3ef49b6c6dc136d6d2f75e7dcd1082d114d5dba6a81fe064a0a41fcedc340192de7527079c2bfb181055858877a1b47c0aca88708b4c633
-
Filesize
1KB
MD590a4d5cdd0c020a7e780f48d70603353
SHA1f24e1b7efd5f0e81fadb82c1ba5dcd05d87252d7
SHA2566ba84c262a754cd68950e3fde75361cd07c559c76125a5d765a439a97ad2a7dc
SHA512ba1c1418af095dda9a08e56eafe04eb969722b7fec169d904ddb6011b118f78e9a3002af4162e729884236aa7e20251cf355d9593b6f4261d6ab0aef89ced86d
-
Filesize
1KB
MD5487b37b894ee17da19aeb2a4b2538e9b
SHA174ff64eeed4fa122fcdf64b432929b7c779c7bfe
SHA25645cc69283a71cc0cdb0609f6440b9e0735b68cc1dc4852c3ae8b7add6fa7c0b4
SHA51256cdc23a8a2f37dbea8ea58255d87e11f89bd2ae0a0393c24cad5f462602bc6bfda5c36acd7c3168d1f0ffa840ac19ce66c1bd646d51dfe9b099826c01cf6c27
-
Filesize
6KB
MD5be745533a93354d71ba1188449a75fd0
SHA13cb149d982325d529f877ea79c6f8206db8e9179
SHA256392fff8f00270da10586f6a3846680dc66ba21d1236bfabae9523ef38c3176f8
SHA512724cab4162f3cd5f07725c3b01100e12db412f53efb7820ba4e0cb4b5a49b498154aa0dcec9d245efe18686779bf80b49328770225eb5cdf6d133e8e4ec48f50
-
Filesize
6KB
MD5ac600e18b6f031ca98d9d603663faf75
SHA1ec7a39f00f06b8c5b0c556d9388e6bd43e0b8fc0
SHA256b2801830a22ad8f1124fb43d6b2b3fab21b5daa83b9b91947a915692e49fd199
SHA512e228a47e2029c623bf8917bcfaed979394a60dfd4ed2cde2635eaa72e3b0099edd6efcd7dce08cd26974cb626b4ccac747ef6063265a89faf834eea439fe61eb
-
Filesize
6KB
MD564123fbb41680f7b08054bdd6add6e17
SHA1017e38f3b4de031401def55a624936d715658bfd
SHA2568e6a864c1d260007b710f718298841631be6f4ecbbef4e80db6d2b609ffc89f8
SHA512fae04fde4a82a2ba2be808bf59ab21856a9cced3e15c2b7afcc97a58a7c3bb9fd16bcd8286003859eea6c63fa3a9b26232515e17d39a5fbc5cf78602f32baf92
-
Filesize
109KB
MD5418c565fd063eecf7aaa708f5e21a9ab
SHA10af25b34a56ccedc5c716cbce0dbf0cc0d398a5b
SHA2568e81ce21eeb112aa12f2f2a02c3697c34636b96f9b2b9241989e803aaaeeeb0e
SHA5125089df30be982c078ab0e74d614b3c23074cdb506ebdbca212eeb27cacd072c603250d3edf8bae278272a03bc6a1a6a14f88f1a0e9c94030e7a1722d8f0793d3
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd