hxxps://bgis-trn-reachsso[.]fsicloud[.]com[.]au/ReachSSO/!System/ReachWeb/Default[.]aspx?id=0&controlName=CSFFeedback&entityId=22138&type=TASKS

Analysis

max time kernel
299s
max time network
247s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 03:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://bgis-trn-reachsso.fsicloud.com.au/ReachSSO/!System/ReachWeb/Default.aspx?id=0&controlName=CSFFeedback&entityId=22138&type=TASKS

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528719138216481"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3128	chrome.exe
3128	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 3220	3964	chrome.exe	86
PID 3964 wrote to memory of 3220	3964	chrome.exe	86
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 2020	3964	chrome.exe	88
PID 3964 wrote to memory of 380	3964	chrome.exe	89
PID 3964 wrote to memory of 380	3964	chrome.exe	89
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90
PID 3964 wrote to memory of 208	3964	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bgis-trn-reachsso.fsicloud.com.au/ReachSSO/!System/ReachWeb/Default.aspx?id=0&controlName=CSFFeedback&entityId=22138&type=TASKS
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeec079758,0x7ffeec079768,0x7ffeec079778
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:2
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4956 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 --field-trial-handle=1860,i,16206657622446495734,212587303984999082,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
5dadd03de20d6d65a6e108caaabffda5

SHA1
1af84e93fb5bff6151f2c6d41174bc84521c8407

SHA256
23832b11bdf67f193454f5f87589293e36710373a884782959b4564513f14340

SHA512
94bcb633e73454a1b987b083d0869eac7f890129a193adbd314d098b8c3646534938a65c4130bcea352b3236de21d31dac4e4e7d09c4f82c756f9de4dfcdf022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
42221c3c97b204f4e44a773b0b714425

SHA1
7756899a13f4b8faaaed43dcad53896dbaefa07a

SHA256
ff9693fcadd8d9363d5760e92c22fb42e0983bbc367b0540efc01c78587de4b0

SHA512
1efe693a29f14d513aca3340fa553fb45896db2701a04cb93812544307d97a715b7d26df1874fc53b650c433f5ca0965675a5f557771e178a363f02d257ff8db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
3e815f2cf4ae8b2f1e8ea101982b75ca

SHA1
7648da60e291d1cfa20688bbe1bb0f96737ccee5

SHA256
8d78d85350eb6450a5288c535dd2c9713905e11de35134561468cb4ed33bf8f7

SHA512
1953c457679b5eea29ecc9b58678c17e0c59c826737a63198791aeb00c9d0ef9d1c2059b0b25492282553384dad2dba4a645411b79e249231867fa11951a9bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
29077238d1e4311500bb76c51a5d47b6

SHA1
71b8e6093c69dc42b9115fe2c9cd787387322469

SHA256
dff76a91da79ad3f9edfc4cde8ffb0a47d824267a24ed072fabb868b3740e6ad

SHA512
e406d7f6859b88777a82d90488c4e09ec38fac9920710583f75c2a440e456da574e8e5bef08e3da20467c75f1c654ad4aeb6c7b29414d63fab3e9700a30984d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
c129242de8112b9294c51f0274873a81

SHA1
c63d9cb7a2c161a9d1867a3d3ce999c42cb055d9

SHA256
6f8ab0db0845aed13cdcd4c53adfaa0acdcaea60f267eef9e4a3b9065e52a3e6

SHA512
3c7360ca651c3d0771d925d6533aacd4c208b16aaa82859e0d0977e2a043ff2e8aa252fe3d1d059726085eed95985989f2e932b7da3b8633feacd8ebfcad66d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit