hxxps://protect-eu[.]mimecast[.]com/s/kxMMCyrlvsnmZmlFZzhuB

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protect-eu.mimecast.com/s/kxMMCyrlvsnmZmlFZzhuB

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522301199940113"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 3632	4300	chrome.exe	85
PID 4300 wrote to memory of 3632	4300	chrome.exe	85
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 4932	4300	chrome.exe	87
PID 4300 wrote to memory of 3036	4300	chrome.exe	91
PID 4300 wrote to memory of 3036	4300	chrome.exe	91
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88
PID 4300 wrote to memory of 2592	4300	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://protect-eu.mimecast.com/s/kxMMCyrlvsnmZmlFZzhuB
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa4709758,0x7fffa4709768,0x7fffa4709778
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:2
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3932 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3004 --field-trial-handle=1856,i,12987911940666187578,17186562726669344530,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3908

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
44bfbc0ca5da333c30357d35afb923eb

SHA1
deaa585db3be6afb3ea26cc7f3ae0afc243aca3b

SHA256
c3ae0b19c4f8b8328a13b8ed4c1e023610f43318ad0e63c0dca66b843360bdc0

SHA512
a4450e45adea3ec4faf3bafe87c35e5a5b714ed0d1d74dfbf312e9313e34036651f2cdf86a7be277bd54b332fe9df8c9795df7203ada16a7146b3285ffb513c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
05ab998cc9de220b3f62b914f59a84d0

SHA1
440ce641ea0e8ffe2662021f484e48c0bfa4fa97

SHA256
bb7bbfd2b319eb17aa619c2652fa0245987d45a165bd67a80bc362a11cda4d89

SHA512
bf57c24717aa47c118cfb7d92f3781301256e9ca176f17c22f80a74c3081806f7e54b9e31a5f2692bc431c4de1a987a0e35b10bf999e93e84baf99b051203361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a7a6cfea4be926da6944e2fd55c08b36

SHA1
b351c3d99642d3d36a723481263602b4a0058da6

SHA256
f1da2c07c19d972f158622d7f6c730d53b1fd165b1959912e7de2a85cc504c6a

SHA512
822357be2f24a7bb38d1f955c9839b1b50153a7cd49f89bcd3229a92bc07f282728c011069c4f5f30e8d8d5b7963357dac928ee4404a3258a0f1bc9e549014bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4e1d1cc0898266be18e802767e2d28f8

SHA1
7eae8654d223733b1d1a938c0a6cc9a695e1ad7a

SHA256
59d8bd73dd345f0d7e5ef6427596752429119a2a28ff7cb093995e5020f7edd5

SHA512
651fe66f524ff82fc62c04d20e87e43eb24f0c046a06d1ff173b5d1e02d4203a44407b205d64f8cb727d1e7425c615b312aed9bd4f26cffa1d40f1da9599c255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
a110ce59848eabdadfafce112fcbb4d1

SHA1
e31ce8248d45a0d02fdbaf85353674e346d0a554

SHA256
3d008d5c1f99feb92183f8a51f3f7885ffb8c37fd517c45f25f4f652d6671e95

SHA512
a16129d3966edb25caee9fba0213d8df3f3a745f719ada6d41c058bc7a1bfc0736fdb600e7063fa531bbb0be7a6edee8975f68cfcdb5ef3379bb10350a298efe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cf15fc62-bc10-4472-bbc8-bf18693fab58.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit