hxxps://github[.]com/settings/emails

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/settings/emails

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133495225379429566"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe
3460	chrome.exe
3460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe
Token: SeShutdownPrivilege	1544	chrome.exe
Token: SeCreatePagefilePrivilege	1544	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe
1544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2356	1544	chrome.exe	36
PID 1544 wrote to memory of 2356	1544	chrome.exe	36
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 4944	1544	chrome.exe	90
PID 1544 wrote to memory of 2260	1544	chrome.exe	94
PID 1544 wrote to memory of 2260	1544	chrome.exe	94
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91
PID 1544 wrote to memory of 2832	1544	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/settings/emails
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9406a9758,0x7ff9406a9768,0x7ff9406a9778
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:2
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4016 --field-trial-handle=1880,i,9308525768012907757,4261091865056615649,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
710b44c39922e72c3ac74c8bf5560f55

SHA1
f7961e9d2c3af4a6d77562cf8a0b950835fb8cb6

SHA256
bc07e29b1dfc420b7d709dc0d3577a5e5239f24416917385a70510a555474258

SHA512
09204616c70869194171df846d19fb43dbfb789600f7444fff2f1f92b888c55a381cfa6a33aa6bc8322ba60453815c8df86f3042f466c466079735b97bc03850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c748f33f42e8d2022a96abd81fb22219

SHA1
79fbf81bc7ce3fe292048b92da0251b95ab0a6c2

SHA256
4b96a6abca34d6f762c5a4da4fcbce72e6870930f419118386361bb528460708

SHA512
fd712f19437acc78673868cd60d172e65ee769276777e237399b7105c84a7d982f0c3c79c350d97894ca07847b3500231ae7d85bfdc50bf1a6bfdf0517f0bf11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a2d9e613c2f6c9be8052e0d4a49900a1

SHA1
f78244da0ee3b29d68e82d0fa0c251513ff0cc2b

SHA256
fbd8a07209208d11921511cebc40943611eb193afc54cc885ffb2f2235bf4fe4

SHA512
ce955451219f9e7547d249cd8477f1f8948e1be73a6eeea967cbc79dfc74a3738aa66eaa8b657d66b454f48668fd36b2780ea47684e96af2f2ac22e83011c7ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d92828568918dbccf397da7cbac6f253

SHA1
23a6a2f91b206afb4e0ab85972842fa95e83c217

SHA256
f45e78b9354b77e22fbc172a6ebd7478f66da1bc8a149fe03ea6c6507c215682

SHA512
dcfb60c6ef21725df3ba12d7fc5bf35a43ba4cf2fe1b06a10a7432672de4aeaf05f5b189a6faad697137fdc0efdb960664bfd82b828f3bf66e54e561cad964c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cba28ea67bc9d47eb35de10921b6a327

SHA1
02baad043977c8e4e1e00160fc176813c353ed4c

SHA256
ce9a6e1d22f471d6ced876ca503f915eb41e83e00b5c714ed4d56653e91c409f

SHA512
f85cdb0b3051dd85d6a5d9ba531213df390749e28e7230895cb7a745df119bd1ed6d4f7f9594b9883a83bb7498a2848ff4cf191b9d407b51353d0fdf99050bfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
de3a2ee8b4974519e771a924b88ea19f

SHA1
26d2b113df9f01a0d6c0acec324aa0398f6bfdbb

SHA256
bda0decda7e4a958b4adce540fe4ee875775e0cfeab3c8bc6d2b7954acccdeed

SHA512
03cee30ca211a8c727311d6e72eb0d8bb13f247dc94c3c20488164af6e05f4add55c67c78d2133c49bc3dd7aaee2a22ca5045c4dff8fe4b43fa251f6f81728c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit