hxxps://vimeo[.]com/help/zendesk_sso?redirect_to=/%09/pub-3cc4e376473e490abac4d97a3b7e56f8[.]r2[.]dev/index[.]html#adrian[.]espinosa@t-systems[.]com

Analysis

max time kernel
149s
max time network
143s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
24-01-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vimeo.com/help/zendesk_sso?redirect_to=/%09/pub-3cc4e376473e490abac4d97a3b7e56f8.r2.dev/index.html#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133505882645923165"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
2440	chrome.exe
2440	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
208	chrome.exe
208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 5020	208	chrome.exe	54
PID 208 wrote to memory of 5020	208	chrome.exe	54
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 3316	208	chrome.exe	77
PID 208 wrote to memory of 4300	208	chrome.exe	76
PID 208 wrote to memory of 4300	208	chrome.exe	76
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78
PID 208 wrote to memory of 2012	208	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://vimeo.com/help/zendesk_sso?redirect_to=/%09/pub-3cc4e376473e490abac4d97a3b7e56f8.r2.dev/index.html#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa54699758,0x7ffa54699768,0x7ffa54699778
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:2
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2828 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2820 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3772 --field-trial-handle=1832,i,2749362659845695162,9452401009951598279,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
6bf05bf7cf441c75cf91311056a11858

SHA1
93ed152a04b611ea52cbd6985f52bffca6c13a80

SHA256
220dbf66a6eea22354240ee8ff63fb0315765ef186bba3fc5361b6fcb8358626

SHA512
c9d0057f532aac4031c7c1f3144f6940ffeb74873a1985a3d2e99f079b7524c90c3bf903079612e3172926e565f65177d139c47e689a45df30ccb0b621436c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e72d810f37b5d851b1269d31c48cf73b

SHA1
5f02a561f429955ffba20e68d701828f3de7843f

SHA256
bf5290faf4a60820f5b7e16777ac09530426365a8ec8ecc261711f3ca8fe6078

SHA512
4895ee41cb265047aeb54aa230a868e1724b312acd41c545700f6f7950298529d414c9824c76312fd3e323d10c04a160ec2e2f8d4be842b1a508c9d629ba7248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cb98dcb1daf127b3a0d52f42a8bad5e1

SHA1
44918064ee718ece59ccc86f401b148d76f5fb13

SHA256
d341e3a53db7f22011585dc0b97e5f8a20cbb95e29fdfa188863e2ab83ee665b

SHA512
aff844dd55ce792ac5b05c66b82caf773db5fc71fec31437710e65f555ab5e96e86e8f2cfc1706d27031303f7b9314c86ffee7d4a7a3fd7a0131a4ec80660f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
72b3215d8efaa30a50805e277f2d59d9

SHA1
0957c5d50a8cc400903e180d761f9ae1069c9775

SHA256
51b400f5549ccf70f335d80dca0a6f425eee4acadf5bf84410fae95fbad67510

SHA512
89a80669eece73f424293999bbb4d6f2ec9366a24800ea087d186ad921088e9573aa1f9e595dfe277128da4211fcea06aae0409f316347130dc3c63600177aa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
080facef4cf318b653017a779c69379d

SHA1
0dbe31b6bf56cdda70ec3f7beacd4f7a2924146f

SHA256
f38914840bf4792efa44a03238881373f992620fcf7ef5dbb8f1ca942f7e8c02

SHA512
e6e31c8312a8b20da6bf65b51874d4e1f0ee43a71d1c2195d5424b5ca98a5bec1daffda3f7245104987da783ac70e0a85c0e14e8f47f19719ac5b367b6d33647

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
1de725d68e2bcf93ca88177bab4508e2

SHA1
c29027dcf569820b0ac104940c1658aff2551a09

SHA256
9f0e11e82c110f2651902731e53cb234fbfd5cc6b2a7cfaa0e675049f07cc7d5

SHA512
42c47ad1f57f53718e440c2ae1c384ac4017ee660606cc8559a7dca6e29f1e6664b09e81edb32a64430424ad9e44c02cb5e0845a5cd37c2b7b9708d83c8b7717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit