hxxps://ncaircalin[.]sharepoint[.]com/sites/MyGed/SitePages/Document[.]aspx?document=MANUEL*20CCO&documentId=24685

Analysis

max time kernel
299s
max time network
280s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ncaircalin.sharepoint.com/sites/MyGed/SitePages/Document.aspx?document=MANUEL*20CCO&documentId=24685

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528707386638273"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
3124	chrome.exe
3124	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4824	1416	chrome.exe	87
PID 1416 wrote to memory of 4824	1416	chrome.exe	87
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 4644	1416	chrome.exe	93
PID 1416 wrote to memory of 3412	1416	chrome.exe	89
PID 1416 wrote to memory of 3412	1416	chrome.exe	89
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90
PID 1416 wrote to memory of 1320	1416	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ncaircalin.sharepoint.com/sites/MyGed/SitePages/Document.aspx?document=MANUEL*20CCO&documentId=24685
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff968c69758,0x7ff968c69768,0x7ff968c69778
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3332 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:2
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3744 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3028 --field-trial-handle=2020,i,7887131667271599489,1766541913538040509,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f988f767d203d11c02d6554695eea36d

SHA1
931d71e198c7f30c391d6c8b31fa50f350124969

SHA256
1db36157d1094b81cec47a2026a51933ada5a5db5422badecbad359a516622e1

SHA512
899369b9befceb5a7a316cbfecd85968c8dff46f37475c3b6b6b1b3e23d627395573e9fa3bb612b7acb5d6ec93feda2c7d1aa3f9c2e456108523333552cd5f7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8994dc38f96bf51a90368039293dc09d

SHA1
850c97f867ccc69eecba3853996ae4ee4fec4076

SHA256
2594706f44dbee8a3340d19fd5384e13935d1a817cc1d126130cad7cf6a2d223

SHA512
7cf4a9e3069b211324800d328ef85f94f0412259e53f1fbea9b6eee4367fee632efce1d3f37affb6093023f21abf36a4fdf43787c3779c74278e0f90c50b2f7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
270f285170829ed665d33f8e84e42d7b

SHA1
d0344577e950dd9ef3c55a84b32c15a69f612373

SHA256
348fce130304b04ac36126bc08b6702315584a58fe7e9fbaacc1751e5e656a93

SHA512
0a8b05a2d848bdcf0e42c473c1603227d2ae9d511245d70fa41c95144a13af42730117254eea4e709e79d6052f433885ba57a0f9cf38316bb32f839f1be2c3e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
4b01fd29c7881a16f4ea39eab05ad8b7

SHA1
a2b4b4c57aaa561743851f5770395e0b6a7305c1

SHA256
ebb3e3a9362b1ec6b7b8fcc303d87fc0bf703483a89a5896235601c157a65eaf

SHA512
ecf77d661467003d2d173d3cc632534873eb3166db00a803428aa90db401fd221c6ad21959266b5cf649f363264952953b63bbf3cfb12124544fa61c8b5d87a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
16590e2daaf67f5734aa670106bccb60

SHA1
7ee0175a3c2e768f51f868fb55ed02bdfa929b1e

SHA256
870b0d61600a9cf6d68f5e0596c295ab1fd2bd6ca9288f4d0ad0b4eaedf9c238

SHA512
2a925dfca5a1e9f999bcdaead5ba21756e82f5aa331d59a161786e50121678017c778444f4a35296bf0b73c281a2500054f70833a0d1fc81f39ec58df9e5ce27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
39f638b04d9c13da5d19f2e919314b1d

SHA1
36d654427e3b002c637a8502c95cc27a7c289d92

SHA256
829cbeb2220f3beeb877105e8e2478b863b8cae7c6fbfca606acc8f1e9936a56

SHA512
a098b46f0e35418e09d0a90dbaae6aa762bb3c5f8fd027d71d112f48f61c48bacb1ec6cad823a097a1177159232d36db4815e942eb945f97770416ad277491ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
e47df5cb1c691ade313d01cebcc295d7

SHA1
b0007ddd13c18f091b234ce8ef656476636fbfab

SHA256
d549eb0351c6cbd4c99a4fba76294e17a5a3f32bd33053da7ff397db6407c290

SHA512
414ab234151ac6ecb0973d77a10d1d03f4cd67c654c515fd488a362deffcf55b86b461c3353445c941f9fc8147e1433ca3b978ea5c449ba56e2d4f67d7073151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit