hxxps://healthteamadvantage[.]sharepoint[.]com/[:]x[:]/s/accountingandfinance/EZ8PHppedKJMiV0DvDosom8BLhi-DEuNlujdQX71SRlSDg

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://healthteamadvantage.sharepoint.com/:x:/s/accountingandfinance/EZ8PHppedKJMiV0DvDosom8BLhi-DEuNlujdQX71SRlSDg

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506962591629699"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
3096	chrome.exe
3096	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4456	4584	chrome.exe	87
PID 4584 wrote to memory of 4456	4584	chrome.exe	87
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 3280	4584	chrome.exe	90
PID 4584 wrote to memory of 2868	4584	chrome.exe	91
PID 4584 wrote to memory of 2868	4584	chrome.exe	91
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92
PID 4584 wrote to memory of 412	4584	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://healthteamadvantage.sharepoint.com/:x:/s/accountingandfinance/EZ8PHppedKJMiV0DvDosom8BLhi-DEuNlujdQX71SRlSDg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe353d9758,0x7ffe353d9768,0x7ffe353d9778
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:2
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:8
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4720 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4996 --field-trial-handle=1876,i,10760688970925598820,9635399436513144079,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
10bc86576fcf6d5c559b32bdbe5537dc

SHA1
8469f4bcea77dc00464d35eb9c2b9ca58d357972

SHA256
30ab3336b4da101436ecb2d25f6ffbbb4f0d4fd1de0ab51562a01fac358d4617

SHA512
f7993a3b3fd52b6bd81d968d4ccf26b8266305a0bde4af42bae42dd65fcf3bca18b901f1560412a240d13afdd6cf7969793894c66f5bf83f05e356dec8972a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d12d52eef65bc3d4e746c70c570ab8fb

SHA1
540f29c2b9f8feac91d9993bb3fa3b1997301160

SHA256
055b6e50daad279b439bef558a83d6a7d0e42c89a98569ff7c7330ca8f6f029c

SHA512
19e9a4e7c2795397ed237589ef1aee18c649aa8980518fc158e713d7984a131e91a4864e19fe968368d7e8e666f52b32d42f61786166344ba8ab3d4903014f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
61431a01e5b938150978c09090521da1

SHA1
cb651f9eb524084ddbc0a5cf65f28be98462e4e6

SHA256
386d26963e873c190fb4a303a0883620d1c8b7e3f7453cb68164da81528c6b9e

SHA512
c76337a9f5b471c19571fc2b37d448838ff8e292de027bc0b9d3246a6c4a68146640965e14814f44848a4054e91aec6b259087bcac2e30a4d9672de5ee1eee33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2c05586bc7b4bf194a56b35189fa0f6e

SHA1
0972e886f72a9163428c7023d6acc85577c865c0

SHA256
007cec089aba24068d8fbbb5baa9e88373eaaa09f0cf40708e81cb54e4d13441

SHA512
99321b62bf0c368727b235c164e794eff6de9b85a44f283c822f6b0bec39a27905322c1c7834e3a4fbb7890b01f0cbeb6eea178d3b814e7e6cae02a582e8649b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
585080747ca1cb9d0d4107a21223bbe7

SHA1
6fbd93344e9bcf22a32ea4ef526102e812ee1f28

SHA256
71d2d2871c49a803f284ced49fa38da8056d8f9c9ebcf4d2b9c0efa9b7c45cce

SHA512
deb1348d65d7aa0bc70b0faad2649a0a2558888cbdfdcf74ecf20f032610099186ccd5b08593acff2b6aa28ad23377818209141ee146c79a1e43822b4f8d7a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e63cc9ebeae5c974397c0ed475716da7

SHA1
91dc6c46f7b736ee33db56c333937ff3e5e978d7

SHA256
0d6e2c470f144f8631d8b804192eec93ad2784bfa6360beaa46a4ce1cf86d8c3

SHA512
b3601ea16a3765ec1a7baf500a28b793cc0d47c23808f41438497adf546140ab50579fd5d4b89ee3d89ac8ddbddfa0cb0be7f85620befdf8fca41349eac9af32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
5322502859ba8529d27a7511d811c72a

SHA1
9d1f9b6c2aa03813cc5dc34da766edec1246c1f9

SHA256
ff0fdd12527dc62f0d69cf72e6a298eb1aa8f11a98b34ae076015983a3bebcc7

SHA512
b372e68ec66800339e2aa865f589c7797eb1e9d3e6d0aad744376493d6540df99a6cb09f437153e85003aa8f9c99d14e2bcebb91eebdb30760d459103aa544b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit