hxxps://dev[.]azure[.]com/wpp-edg-nucleus/

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 03:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://dev.azure.com/wpp-edg-nucleus/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133507997723343664"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1236	chrome.exe
1236	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe
Token: SeShutdownPrivilege	1236	chrome.exe
Token: SeCreatePagefilePrivilege	1236	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 4940	1236	chrome.exe	51
PID 1236 wrote to memory of 4940	1236	chrome.exe	51
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 1652	1236	chrome.exe	87
PID 1236 wrote to memory of 2988	1236	chrome.exe	88
PID 1236 wrote to memory of 2988	1236	chrome.exe	88
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89
PID 1236 wrote to memory of 1968	1236	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dev.azure.com/wpp-edg-nucleus/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81f899758,0x7ff81f899768,0x7ff81f899778
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4460 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3152 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1000 --field-trial-handle=1832,i,17768313800747091084,14572423699748333143,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
7d4e6d1b6560515e77b60ebae5f2c2be

SHA1
d1a594278f541c2e81abd1185ee4a3c8caca8f57

SHA256
fab1b6a199af65ac6b37314928d8cdebdf6a3c5d93e30db81442e0370c339e2d

SHA512
e17c4a7778c20be21a47f629a221e64e89faf8e00d351b2b66ea33280dd6b97a26cbe72919d03955151ee775ffe3fbcc12dec19c23b20a518553eef1501d6b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f401f82f0178e7653ac12277966b5833

SHA1
1f73f77654e4a0e4334058b54e3b67b6eb0dcd90

SHA256
d3322c7ecc2912d640dc9889a551a5cb3b636f3560dddcbd797c05df7d271c9e

SHA512
150a53fa98cf45a592c076f641d4e17fe9f62474f9c454865030ada70be4bf36a29c84b1cb4fb120ed4ea0442a41b3b9bc147e9bf4ddeca86dc60f4702a77eb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
38429dcee23e77714c946de39203b836

SHA1
39828d04e595c08e4578bd30634fd6830c764a4c

SHA256
87eb99cca584c549a80fbf2fe907e6890451897fa43a21843714a54f3ef80d31

SHA512
6731150506c079dc39c9bede599a87f8b342193529f7c6b40d697c5cec2e3435e18c67337c1bb164966e3e9733592f52b29e94dc483e8173132e0bc840c664f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
42ab409c3e17205228107840577c449d

SHA1
9f5ba1bc81fe1aaf79a38bee412e7e9a64b6cb28

SHA256
f1ddbf042efdd2c2c0bd1b4e04517abb81c1700c5c77a0384674a7bb14c27ef6

SHA512
317c0fbf0c190a94ff0429d03fbe9388218d8c62e6cd0bda63a0ecdd6b032786c96f5047e643a5baa7e992658b681df3c47fc764437c2d6478d6e95cf0739dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
acec1b66465d4487c5a9c5d13c56348b

SHA1
a2506e0bfa44d0637adcb56122f4e8cf65b34d88

SHA256
2b9a81f8bef9724cba4ec7a485585321e40eb7afabbe6d608a3116798f37804e

SHA512
2a3ff29c1e66c89fc070331953ca7df04b17726d50d8e2f7f529e845960cd53d8367ff8cd696ae353d3ea877e70063f453cea4a4319fb23778de6ac94ec344fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
37b8a7dd3bb4dfd8f5a87e5f832dca9c

SHA1
d75fae311a2471961473320aa49c728bed4f7ea1

SHA256
660860c8cae9c5973feb5d1975520a34e01711aaad057bba18cbcb51623a1a9c

SHA512
fcc146af852356e93599eee99e58745d49b952b71c11b7d802d681dfbc8d128a077eb7cd3bec1905f3bb4ee49309862121c6463f94a552e845e1a438eab6e3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit