hxxps://carexconsultinggroup[.]us16[.]list-manage[.]com/profile?u=99c294754239474b2f9b63356&id=4c2d1012a7&e=15d1f2cb30&c=31e69da2c7

General

Target

https://carexconsultinggroup.us16.list-manage.com/profile?u=99c294754239474b2f9b63356&id=4c2d1012a7&e=15d1f2cb30&c=31e69da2c7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522346620789317"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1720 chrome.exe
1720 chrome.exe
2000 chrome.exe
2000 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1720 chrome.exe
1720 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1720 wrote to memory of 1628	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1628	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 3564	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 2644	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 2644	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe
PID 1720 wrote to memory of 1764	1720	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://carexconsultinggroup.us16.list-manage.com/profile?u=99c294754239474b2f9b63356&id=4c2d1012a7&e=15d1f2cb30&c=31e69da2c7
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff921f59758,0x7ff921f59768,0x7ff921f59778
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:2
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:8
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:8
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:1
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:1
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:8
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 --field-trial-handle=1856,i,5271143281082320126,2324944489938920107,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
a0c14880d2202100be9ec3d5246bb0f7

SHA1
ce0feea90fd75918b91b23f85837b0887653b7ba

SHA256
32aed0b3a0bdc7ef7341be69afe4e876f0aba61617eee84b4f4a06ea7b3ced50

SHA512
59d0717bf18b4f6b2e6f5bde0a8b6fb92359355cd7c3fa3acef7941e2cc81b9f1ff4603c86508d9f65ee31409d47ff3edea74319d39307547eb89b6a71ecbe08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
801B

MD5
2e4012116041001940d99eb8afbbf86b

SHA1
b6758833140713108ea515907658f060ab37fd42

SHA256
bb19beaab9fb5b9232a574e850be4a238429a9719a47b52610be86f5ef6d8e65

SHA512
4745621b1fe95cf861bb7875f50e23f0849d475da766e98547ce0d2af044bbc40f7c947e53910cc2a15c89eb37d6ffc80ab93a474ffe072f3e2fc061f1070232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dca43c03077039c7a3882b3820baaff0

SHA1
5214c5efb28f217368219eb3ed36eac0c2c21973

SHA256
4171fffd2e6bd1b8f8794f8a053cfd0bb862afefe97636ca72110490f18a0681

SHA512
e9c4036c1f2999e71b5bea67d7772f63440d5a3d633854525695b9bff292ea206431d5a0e203d3b86c5a30e99afdc11c5dcd27876ef9f59d5d0ba9309863fe3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
34b32d58064e6810a682897d2c68eafd

SHA1
4fd9418c2288f94660bb7fcaa4f9a725bb7af996

SHA256
4e6c23f2d73da3b807fe81bc8fdb7ca718189f73827f949304242703164fc775

SHA512
ac4304d8427479eb7f877830b523534b1e9afd15577c0ea81cba8f494f230af39b4fcc139bc096dd0cae638b20c3a7b27429f9680be15a4031c58320f9c0b7e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7310829088af23835ef9e52f166cebf8

SHA1
199bf9478c2c7177d4134e740548ef74672b302a

SHA256
45f253cbb05599c4e3ea55a22b27448950617d2ca31f2bdc9e9f867812da710d

SHA512
8ed2e4ad6737c2d2c619278a39b62c81bf6d6f420a50667d239d2a545879ea292ae3fd53b33ab69a7271c432ad11bb4f1e560efcb29eeca017bc5f3726599541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
80759db84ed94e4d0d4455c444b90456

SHA1
36ae9ca87cb6a64963186e94f5a90a5f0986a55b

SHA256
27dd1cceb71cb2e85bb47e74ce2d56924cbdfed91fa15c525124ded9ff940e77

SHA512
0376ce98acc6ae6d85d926419479a95fd2d062ad20fac1e173ba2bb67de0df6787fa4059e52d00d76737e172ec6d8e1893b7c9b135374f6c375da08a87c2a23e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1720_WNTFSACHPVGHJINS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads