hxxps://protect-au[.]mimecast[.]com/s/fsQRCnx16pfGGjZBhJ2YRT?domain=collabwithhesta[.]atlassian[.]net

Analysis

max time kernel
149s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://protect-au.mimecast.com/s/fsQRCnx16pfGGjZBhJ2YRT?domain=collabwithhesta.atlassian.net

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529409504544202"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3492	chrome.exe
3492	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe
Token: SeShutdownPrivilege	3492	chrome.exe
Token: SeCreatePagefilePrivilege	3492	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe
3492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1052	3492	chrome.exe	43
PID 3492 wrote to memory of 1052	3492	chrome.exe	43
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 2300	3492	chrome.exe	87
PID 3492 wrote to memory of 4116	3492	chrome.exe	83
PID 3492 wrote to memory of 4116	3492	chrome.exe	83
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86
PID 3492 wrote to memory of 4964	3492	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://protect-au.mimecast.com/s/fsQRCnx16pfGGjZBhJ2YRT?domain=collabwithhesta.atlassian.net
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb2c3a9758,0x7ffb2c3a9768,0x7ffb2c3a9778
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=284 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:2
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2948 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3696 --field-trial-handle=1828,i,5543915496940820835,10812003167378514767,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
65f8c6c6d50b492ba355c61779044014

SHA1
efc98d2f4a4959f48a130ccfdc5c7723701b970a

SHA256
6b48ea23b012b57fa0f605122ef4a00203671a0eae34e9b2d0af3a3b11d8c8ad

SHA512
107f8fb254b5c70f6499303e6de699f67ca8567dd79e6afa98c8e241c364a5f3d82351269ed7f9502ef2d30b0483de3a0b4d3b8b2e31de726c59e159b5a88bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7909ccd29c94a1e95e61578e00f9ef83

SHA1
3aa38effed8ed5ce510fee576efb0ddcd8be6177

SHA256
20c73fa4377db98c86915809d191ac99981399e11b4be9d4442e9f04deb48185

SHA512
1d9ab0401bd4611499b2271ddae1d8bf72e6514320f8ea4fd3ae1a0a4cff9ba2655090ec9c197e8f766ce86d37feabf73f721d28f0bdf3dd1ed4ea5a381f6281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
16c0a567ddb1f13ce1dd82c282d6a160

SHA1
4c3e594469a436bbbcaeb5530bb14446431d1d35

SHA256
5d5516b3f5493b85c3529c33eb44946348b3d3018b54bcfbc9a592edaede9928

SHA512
08da25750187da6eb207acd473c07e1bfde7b03f3129ce35da3dd62527045deb73a88ed94a05d362c95703dbe94a89cd1d48d0d7232b71aa8c3244ed60cba51b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aa6167d6c0fc7439304a908c977d2934

SHA1
f017f6b372bd2c707713d72fdf84ab452ea89b22

SHA256
25894d53ba8b4829710477ac341c2a91cfda968390731f0bf01e7fc94355eff7

SHA512
3080ffc982e42f0ba648505b0312b1de89a6a9ca29aa340a768a7a6c5958d5e66bd6b65dfba1af7581c61d0f9454ce209bf9334f5a792e545d1ad4eaf774f3af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fcdc02b0d3ccee1dcb47dde5ba2d77d5

SHA1
281735d33bf0be3ce5fdba08b93cdb72040b8ec9

SHA256
9bfd184013b871594202a345e2982683e039ab6c8d597357fa39489525c191b7

SHA512
5794c2daec6646571b8cce5d4eaf07f3dea068d4a5dea35d46ac3ae3aa337b3011fc9b9b50914ef80605405e139a339c36a568a110a814aa0ba0bed2863dcefb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
463845e1ce7de83dcb75610f63028c58

SHA1
b3b943cf1d1b0f8a7a9069d05921b5fd399b5ff8

SHA256
ca8e3e709401474aeedb9b451afa1785fdca419e17cd71430966e79de247c8e4

SHA512
33f43a3456522493afc04c8c3d6bb6317a213e52365d92ad53f4a2ef62f62ea2250204c797501d34578e663c133ccf1c34275e2c2eeaa2e8552bba7e4926745f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
fcf7ba451aef70fa010277662ab8c7a6

SHA1
3ed16c319a2493ee4af9750536454b417fc03fbc

SHA256
fe7420e02727a39ef5f9ea3203a4d9164e11c6d06c50c3b608da432d825c968c

SHA512
e984607d563739ea34240990861e867293f2c407206ac44eb855b72bb345c82e3d8e8ccefee6c35a17bf7ae21ca0ff715f28ba80d9a23434121e27286514f362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit