hxxps://www[.]icloud[.]com/iclouddrive/0e72zCb8P7WeUa3H-lKiuOiCA#stgelectricservices%5F49493

Analysis

max time kernel
60s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.icloud.com/iclouddrive/0e72zCb8P7WeUa3H-lKiuOiCA#stgelectricservices%5F49493

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133500664096181922"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1544	2820	chrome.exe	85
PID 2820 wrote to memory of 1544	2820	chrome.exe	85
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 3228	2820	chrome.exe	90
PID 2820 wrote to memory of 2648	2820	chrome.exe	89
PID 2820 wrote to memory of 2648	2820	chrome.exe	89
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91
PID 2820 wrote to memory of 4412	2820	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.icloud.com/iclouddrive/0e72zCb8P7WeUa3H-lKiuOiCA#stgelectricservices%5F49493
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1cff9758,0x7ffe1cff9768,0x7ffe1cff9778
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1900,i,14485115250553086487,4580575392317065185,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1900,i,14485115250553086487,4580575392317065185,131072 /prefetch:2
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1900,i,14485115250553086487,4580575392317065185,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1900,i,14485115250553086487,4580575392317065185,131072 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1900,i,14485115250553086487,4580575392317065185,131072 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 --field-trial-handle=1900,i,14485115250553086487,4580575392317065185,131072 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1900,i,14485115250553086487,4580575392317065185,131072 /prefetch:8
  2⤵
  PID:4348

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
057ff0b6359b68f02cf88eb0721614dc

SHA1
fa4e38f58f8a4b6e7ba64a3b7a3a138751bf541a

SHA256
d8ae35f03f84b4cea1f28fde30b9fc82acf253aa6c3b907949b3a66f5a888371

SHA512
c179247787c597305ea7f880c090da7bb5f9b576ff789df449a619ad21ef2cc353f81fb9eebc8aeb131aeee3d0286034b898eb0aafaa46cddf7f14382393dfe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
5c421657998ddf4a76d13f0dd168c8b4

SHA1
61a2f0646f36e808341540ea7da6d0a89c0b5d8e

SHA256
2b3c8dc4e5866b04c5332dbaf18eb6da0d5c4b43ebbcbdd36a841dcd4f26b3db

SHA512
e2b8db23f3dc5a3d7374f7942a1cf5c84664b84d042bd9a8690a06cd6a3255d72b063b8a97fc8c2398c8ffd3c49e3c1e6b386cb1eb235d75b928a4e5bd6906e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
152881490d2610ca7e0f4ce21d702fcc

SHA1
76ceb5aaecfcee6af1a2bd42e942554dcfe7d4df

SHA256
7e7e900f2ef67c4e8ab52b045ef051d7fe933e4b702f2d30e738cfd5c7c2bcd9

SHA512
967e45d28fb75b40359d8fbbf3d1a15053b08827455f5bcea30e54a643bf7377c3a416fc2b2b13afee88016b743dcfb0562c01d74e0b331f34118e9e82f27a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
982326c1dbfb4af4169575804b670d20

SHA1
3d0364764240c064bb93f640b7219bfe223bc5d8

SHA256
6c72c7851ae5c8b4d5c2cd6724ea9128ae169b0a1ba87f28ca04b991aa8571ee

SHA512
9b26a28a01ffbd0c10bce33dedc1dca5ae1dec062c2502ee95d700c3f557dbb86e4a29625db97fc798a743a236764ad90c2d07b6eb1432584f1d1251a21ef6c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4dbe986db99d0bc53855d2a0c20d8019

SHA1
952196c05c4e28503336e456a05af3701975d5ea

SHA256
80cadff4285f56794c3d3bc42eb44d56e0589ac38e5d33672593c44231eb514b

SHA512
7d322f149851a82a40c64b4aecd762fd3a767a715c7b933e785758dc7b05024d2d1c96fe397f7ec95c60fc99e3b84797da2e12e59787c141d522f1c26c174269

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ad580cc66b902f11aade829116f87fb3

SHA1
c09229694c9bef18b65017829110fdbab50e3041

SHA256
fa1975e61d85e2de65beaec21654def83e120404c57e5e2997eda428141607dc

SHA512
9d024295fbd878cf75ec5c62be2069924bec4062b3f73b0b58f81743d91e132811dead5a296798b5a5d0692c8baba642fb17bb9f72809a2154c7fade9b0d19c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
df6fd6add7a5775143f3dd595c862147

SHA1
4f5ee489c02f0b27b8875faa6662597eb044eb0f

SHA256
66cba7d53f9ef89d1c1adbeb2433ec6baf9e5d593f3b8ac4eab6809810a3ff25

SHA512
16934f7bec05d9115059ee1005519f78d7b7e0cc010f26869629b7f4628a7a2192b20cdb027d9a78a1fd835865ee51c5133a3730d48cfbc1d3cbed5871cbd6f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
bfed1b726a8211da64149e4fa95509bc

SHA1
87946c9fa4fbf5e9dfd37906e490a4842474d833

SHA256
1299e80022bf1fa503dce00b3268d7d56dd01f76b8043af51dc7edcae4583421

SHA512
83cbed2337eccdc5da4807a17055287a205ae926696dea84cc4cd5ae8acf1ecf0b827eb389a5e0048ff180e8b3172dcfba8d4190a72f188856f4797da3f758ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit