hxxps://click[.]email[.]coursera[.]org/?qs=f097ff9ca5fcee7942e0c2393ada5f11c558bbe84c7599f9cd5813d82f88f1fc78e04288d8cc7fbbf36ce7f1206a8c82943a8b5bc8e3a0cf703de28604e9ef6c

Analysis

max time kernel
62s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://click.email.coursera.org/?qs=f097ff9ca5fcee7942e0c2393ada5f11c558bbe84c7599f9cd5813d82f88f1fc78e04288d8cc7fbbf36ce7f1206a8c82943a8b5bc8e3a0cf703de28604e9ef6c

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133476914161647581"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe
Token: SeShutdownPrivilege	2960	chrome.exe
Token: SeCreatePagefilePrivilege	2960	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe
2960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 4552	2960	chrome.exe	87
PID 2960 wrote to memory of 4552	2960	chrome.exe	87
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 116	2960	chrome.exe	91
PID 2960 wrote to memory of 2416	2960	chrome.exe	90
PID 2960 wrote to memory of 2416	2960	chrome.exe	90
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92
PID 2960 wrote to memory of 3120	2960	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://click.email.coursera.org/?qs=f097ff9ca5fcee7942e0c2393ada5f11c558bbe84c7599f9cd5813d82f88f1fc78e04288d8cc7fbbf36ce7f1206a8c82943a8b5bc8e3a0cf703de28604e9ef6c
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a75b9758,0x7ff9a75b9768,0x7ff9a75b9778
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:2
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4524 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3224 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1880,i,9812971790769108252,10285484675172110598,131072 /prefetch:8
  2⤵
  PID:4344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1104

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x444 0x32c
1⤵
PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
f67d810b45685c05a5570f88d85deb1a

SHA1
1496eecafb37aefc7822784dcef3bc589000f9ee

SHA256
c8e94d5e2bdf68f23d2285a0fe6a1f1d1d4a0efd2bb763f54aca10eaba44f9bb

SHA512
0daa2a2f7d9d94fdb20ae30d207b141cc255c4a8ddf329a9c3608a9a866569385b44b60ec538c3b4de4689619619517251764c224ef9d907af652793eb9d8c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
533B

MD5
cb31e277ddd735a7de1fc17427d24f48

SHA1
8b892c347ef26c9f7ff20d5c4ed270a9c72196bd

SHA256
0501fd6af56251a41f2739cfb697e858c73366e219dbca480ecfcac5831a5f35

SHA512
92601d16dff92575f7ccdceb1adab5c9b16471006be0b83cadf8dcd72dc8882e81cf05dbe38c845c2c9ef90ee23c641202bfe5bce4e29c679e30e4d9d0b6e3dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
533B

MD5
53e6305af198813493de4e9073bc928f

SHA1
bd5751c38924ff4985ef63c4da2ad7d7d9ab3b6e

SHA256
941f174262b4ea8530ef18c2c6533b31b2db3e8e45548f3211801c6b051b96f1

SHA512
36a3074aaffac45cc08ce2d3bbd303557de295a60fe1c6546b27dda76b2b4b47faf25eb281d9173196c62a8357b139c76673026bc5d6f5efbc08940c9904af52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
533B

MD5
1e41a5b331e3813ea177423479ad0092

SHA1
40a1d91ca80f7dfee48188edbf87d25f0317b6cd

SHA256
b2c777cb5336eb5c8137bfb4d19dab94a003b0e8d2dffaea5d65d2a4bacc7c31

SHA512
8f7ead606d9e62d3f6dfa4d2a3cc182a112f37d2d6ea34d8c24d0036e8a0f6cd0a0ce210e8a7c6c0069088e50b31c82bbfc6704ffd2761850a110d24ca077d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2d574bbfab1adc981566782395835f50

SHA1
8bfbc68f1e8f9d0ec2430a47bbdcab50508fec78

SHA256
5d870eb9d62df3bcdf8dd95cc45692eccacfcbf7c20a859f45eb5d4776739047

SHA512
e993cd0c99866b982ed0612934fb54aa556781b02b0fbc2bac0d595b52874af8b9bac71fa9c03c8e4cbbe4218b5dcc19bdac032fc9d71bd6c7ab304d087c3033

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f1558207-288f-4c63-b5be-272b4967fbd7.tmp

Filesize
5KB

MD5
7271e61b27e34cbdfc9e44a99752c307

SHA1
20a22bde445d4c25c025ecfec7bd4257413b7418

SHA256
2d5a33dc3d581a4e44bf8842c8cf03057f0d9dce977dee3862eb19cdc4ba15a4

SHA512
c02e49eabfe99eb40cb25ab7127017acd8285d4fc1fce4a27e3e0d5d72a51bd3e7cf515b81e540ca463d6491abf7d6bdee083920eebba23c0d5779c7ff70adfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
d86e24b79ba00170b9e00c87198350e9

SHA1
66d475571105b78ea2b1809082b0915e6742722b

SHA256
765a9a2b175fcf167f170a5fb2ef64810aec946a3e44790b125e597bcac0c21a

SHA512
21a221f01e888b512cda69c4d23ef364637e28b5bf7d033c16d2018fcad26d0890a4c0d6a8cb10c5425a21c25aefcc7828fcbc2145ca33a45d468e8751089354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit