hxxps://apc01[.]safelinks[.]protection[.]outlook[.]com/?url=https*3A*2F*2Furldefense[.]com*2Fv3*2F

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://apc01.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133488687258416846"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
3912	chrome.exe
3912	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
220	chrome.exe
220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4860	220	chrome.exe	56
PID 220 wrote to memory of 4860	220	chrome.exe	56
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 2120	220	chrome.exe	87
PID 220 wrote to memory of 3140	220	chrome.exe	84
PID 220 wrote to memory of 3140	220	chrome.exe	84
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83
PID 220 wrote to memory of 4012	220	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://apc01.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc96ad9758,0x7ffc96ad9768,0x7ffc96ad9778
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3636 --field-trial-handle=1892,i,2341036963072997029,10240038259176917219,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
db43773e0681b3d092cdc66ff12bffc1

SHA1
38a08d702324f2fd06ae22141b4fb888cee970c9

SHA256
05a1327148f1634ddd059b838572b7992830416e5c77bf4c46d39d21eb780df5

SHA512
d722956c45039a02a9134898af2ceebf97266f2f71936448217ba4190a016c2676e74e64d2533ed0fd179e97460a0f0542e10378c3c1de098caafe7aff5f756b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5ff03b5b30d8693b19df1116fa4452f9

SHA1
6578ad2e863d4495372b76c1c77eb7e5f2f57a8d

SHA256
c91c40b8b12e030abd708fcfa99f663a1889158a7a7a001b4e24848b7ee98277

SHA512
abb0c438d08621ad008c1f8c60d91a5b4cd5c6095324bd9dd080c3bfe53170c22442b98440a15316c41cc44b62a9ae5365697891b97e1bbc82007d29ab9accd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dc0b046a954e7476685db854e5cd4179

SHA1
7dd88828519e4f3d9ddf8f509b6d8379ab1dcf6b

SHA256
dda4a61a7650fedcd76b22f0f64ec6dc7f8f026d56289d0a3f3ca16f6e9faea8

SHA512
b04c58ecae4e127c255e6df5ed41df411d12ab8dc92c840bd688151d84c67ef6468f88088ec927b6f88e5d6c28ff81d243b98e6a65738367b6516603920a8f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
828106dfed836252c4cab8a8b49b67d7

SHA1
e0a5c786d788d7cb2a42bf4d3f3e6d7b6c576146

SHA256
725dceb87778cdd5637d48029d97548b42d7fcf1bff924f760a3ff8df95b542d

SHA512
88d62fdaf55e061eabc92cb232927c74fc87c2326f17c90a843620f3417f91b929955e8904cc49221a81f91dc485d786d21fe3c1d6fa7bdfd76876c56e85cf83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit