hxxp://surveymonkey[.]com

Analysis

max time kernel
34s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
21-02-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://surveymonkey.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529987691660459"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4800	3120	chrome.exe	78
PID 3120 wrote to memory of 4800	3120	chrome.exe	78
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 1436	3120	chrome.exe	82
PID 3120 wrote to memory of 4836	3120	chrome.exe	80
PID 3120 wrote to memory of 4836	3120	chrome.exe	80
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81
PID 3120 wrote to memory of 2824	3120	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://surveymonkey.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb4559758,0x7ffcb4559768,0x7ffcb4559778
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:2
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5036 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4992 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5672 --field-trial-handle=1816,i,13101076304484720661,17287667833058523743,131072 /prefetch:1
  2⤵
  PID:2292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
3f03c32cae878ae01f9c24f4e3267aee

SHA1
7c5c918e37d549f2faac2a6b0120361df81052aa

SHA256
6d1afbbc435742e003b2afe8b070a59286c242ff20fa8c53fa7920e60e7d8f3a

SHA512
be4c7c790cc3844533c439ed93ba80e216783bf95960231f438974f3ca0a9df14879f4c78a0c27d0d7fe8459bd9714339a17212206a3a08c4fbe24ef55fc2894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8909ed77-c3d7-46d1-b17f-8e87a3675d78.tmp

Filesize
6KB

MD5
c20ee6c33e7482159854e6eaf4d92473

SHA1
a1270160fe6c5a692e13e87bff08613c114e48c9

SHA256
aea2fc38a845206340c84d2c71b2ccb7aa97d77eaf8d5f2a97a3b0945a55ece0

SHA512
7db9d522c5648280f14bcc02bffa5943956147c4e7eb5d814d35c1af294a2557dbccbf8451bc8a982bd8c58ced61ef44081c12f49053a441fe7000069891bcef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a47a09d1966eced6b933c04871f6a110

SHA1
10dc5779f604dbce5b41c0c07362fc932cf32451

SHA256
f5c2e948e9b1741e73c9c60d7a8054120292fe3ea12093d5c6fa4211aca60740

SHA512
3787076f460dd0f273667357572f71db2df41c4fc100f6ea0065d78428224b1b61ed8d819a6a659848c720e6fd0f5750b04914ef6a4e19bbf751ab8d39ad81a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b006463a240ec254b5053ba9f2ee5c88

SHA1
ea52ab82c8d6030a61dbb9acb2f0421831d7eb95

SHA256
bb7d3d8479fb0ff9c0fe8aaea9b5bc267dc2b0a3d0234f0f195a6b7cb368bdf0

SHA512
c6959829ba376abcd8e666556956c7b43a18d8fed4c0fe1564501f55b9dd47b7211cbdc0efea728ab335eae2cad18bb920166a149eb3fc4a2edd68c21e394885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
7884d53c9313c339839fd4053320dc07

SHA1
d754706df7b48e08385f31eb3472eb5d6ada005e

SHA256
8baa0d95f6e8e59c460a91edae0e6ce97de970dad6262b9613bef525965766cf

SHA512
3e912819ad3477908f66b69ccb591bb59c52a7005a476429836e5b26f1fe312104221c5315201672262dd18b83b468552a9ded15e13206e4db0691270fdfc6d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit