hxxps://montanatechuniversity[.]applytojob[.]com/apply/oAuN4WJCUK/Hydrogeologist-Professional-ScientistAssistant-BPPF

Analysis

max time kernel
300s
max time network
287s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://montanatechuniversity.applytojob.com/apply/oAuN4WJCUK/Hydrogeologist-Professional-ScientistAssistant-BPPF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133501473962272928"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2500	chrome.exe
2500	chrome.exe
3748	chrome.exe
3748	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4744	2500	chrome.exe	37
PID 2500 wrote to memory of 4744	2500	chrome.exe	37
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2780	2500	chrome.exe	89
PID 2500 wrote to memory of 2596	2500	chrome.exe	93
PID 2500 wrote to memory of 2596	2500	chrome.exe	93
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90
PID 2500 wrote to memory of 3504	2500	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://montanatechuniversity.applytojob.com/apply/oAuN4WJCUK/Hydrogeologist-Professional-ScientistAssistant-BPPF
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeeac9758,0x7fffeeac9768,0x7fffeeac9778
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4960 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3816 --field-trial-handle=1880,i,10839949059769712582,971918116138159792,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
201KB

MD5
c445ab4315d0633d446998c80764cc36

SHA1
47d3dee9845cc6e29b6771dd6560793b8b93000e

SHA256
5635695eeb70b51c449aea7a5bd3c9699c3c28c64498fb7fcb8173aad45d7242

SHA512
83a32ffdddf3ee56e89f232c8d05a4b00265895b0e41d13700f90fa389f0bf3f112c291c24c3819751803322b11e2ff866971d835d601672b36818c4e099bff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
4bd3ceb3957184ebc33e944459d21c23

SHA1
f22bc5d88a97b80bcfbcd4e28d6be8a32472f916

SHA256
34d5d184678ac1790dfe2ac7521afb50e14cb06799e3fb59f6fdbedff2d32fe1

SHA512
1f9dbbd67ab260d7df83feee7962029e0d0968e51916280bee7dfb4e3ee661fc0316463c771cbe444276ca9f748c4d2926203cec7a294ce2232c9f776082ba85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
355cf6fd6933a36a16e42e750bb26ff6

SHA1
d89472030a8265166ad44d8d148035d7d57bc1ad

SHA256
8d9767657cd78da0c543d50150b9290649c304386611154488afb021ba7c40d0

SHA512
aca76d454b32d8f5566d664b74594d1418a5e54ca643234e7b028a73ad1294d91877084919964587c64606465ae2c183ad4bf78bdd18ddd8c73968fdb6aca876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fe1a9eb6cbfa67ba5ddeab6db4ceca3a

SHA1
e8ac5107a1d09b743f99bb71231abb0e05e18923

SHA256
f3c0ebee0ae51dfb26eff9e0cb4ba4a0e98090e42c547d97651ba1e46e587d05

SHA512
7100c37a06eb3cc42026b6214b489503eeb8c7f195ad821030fe02386d5b1baffed4323ccb9aaf5562a57f1087bae955908be8ce3a1c4ae47b72c164de70d1b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
533785925cffc1fcd233ac5c14be4117

SHA1
bd01a8fe785676904858b5bb4d9b436bbe3596f9

SHA256
00e23a5adc1d69ec3e09c27a76446ceb54fa7a86795944fc3316ec86c9f3894f

SHA512
5b61e7ad05a0d3393c9b73d0af99549963ef2be33a92ef51c1083cf654551ec36f7472ffe722bd03f857f24383d183adeffa86c47fc82c8956f5115fc2ffd77d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
55f1bdcf3da59c576aa65a3c4f160f11

SHA1
8670c96b2077e56e1269441279ad4ee5f24a936d

SHA256
7fa4300c435eed457c1cd83630705fbcb3e3f44bdb9eddcfcb5a408955a87905

SHA512
96b8a1b6f14622373ebf45babed7f1054a984918ead1bccabd44672de9cfa9c5a43dc9f32563d273ef0c47c5e0f6c383205f6fe888964ef11d1e9d819171811c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
dd21da68c2292e14bbd7404dbfd8dd5a

SHA1
455ff3cdc4f7c65add75beaa84c2fd52bac30620

SHA256
f132375fe2fbe4db7832d4fdfb568cff6a22aa4b7add508c34337c053fd35b51

SHA512
366059ddb600dbef275b499cee84846b900a9033a9b534b0546e872ca602bd75e6a05167a09158d38a955ccdfacd6fba64324942b03264e54382c15d6dc6dd14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit