hxxps://forms[.]office[.]com/Pages/ResponsePage[.]aspx?id=OPEIfobOwkS1pP580GJSNAuJNY_SPS5Cvl7u7Fik4oZUQUFJQVkyVTRSTjNXM1FPV1NJODNWV0FCQi4u

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://forms.office.com/Pages/ResponsePage.aspx?id=OPEIfobOwkS1pP580GJSNAuJNY_SPS5Cvl7u7Fik4oZUQUFJQVkyVTRSTjNXM1FPV1NJODNWV0FCQi4u

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 4556	428	chrome.exe	45
PID 428 wrote to memory of 4556	428	chrome.exe	45
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 4576	428	chrome.exe	86
PID 428 wrote to memory of 2780	428	chrome.exe	87
PID 428 wrote to memory of 2780	428	chrome.exe	87
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88
PID 428 wrote to memory of 3868	428	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://forms.office.com/Pages/ResponsePage.aspx?id=OPEIfobOwkS1pP580GJSNAuJNY_SPS5Cvl7u7Fik4oZUQUFJQVkyVTRSTjNXM1FPV1NJODNWV0FCQi4u
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc9229758,0x7ffdc9229768,0x7ffdc9229778
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:2
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4636 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 --field-trial-handle=1864,i,10698817345117729586,14719218982053486071,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
2b6ca1ed0fd2cb1819e18445fd094cf9

SHA1
e4df5595327877642678e0d99a35da392a9cc13b

SHA256
5317b3e36e01ed7170cc5aefb316438a6a93b6ae6a3b437f5e05852970eff410

SHA512
357a0b95e145a23f39a02e5f6b142c0ff266f31c111777c5df018a2a88d1f85a62b7d08de55cd4c35bf90c89e1148e7976c215b94bdff097434e76cae6abe805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
542c8a74f75f53aef1ee9c842153979c

SHA1
ea37e5e9158976d0bf384d9f224ab84df80cb97c

SHA256
44eed8de409049279df7378fb88ebb111296342c6420d877bda162f622ed1db4

SHA512
47239e37cbaa498ea5624d649be58b077fe00dc40507b0d68869bfc6fed26f4a03c2a4b297ead250dfd6aa26c82f3faafddb033d83aa406cf21cb8f49603500a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fab0dd72444a01b7ffd8722ef236ebfb

SHA1
30f3cd3a2aeda21dbfeb4a208a6dd5cab245838e

SHA256
c2656724be6fc10de8a6aa0eac47b701967ca0f34dbdc226515904dd4067a8a5

SHA512
111c35081e957186d2e3531bffa66733209580b3ddf61b61c2f296401a0db57087c50fe0a5a0b72d3c23fe21d2e19ca0e4055931aba950459e532d579bf2b225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b00f31677b816e73e5b6f9924791fd7

SHA1
4fc21c4f0fc5b95a2d2291bcee3aa9407f8abb1c

SHA256
ecad57d3b1771abb51ede8b2b880bba5d7bc3ec27785a03c8e5e315729949756

SHA512
e0cfe003803f23fc2aa72a310ccc922fa1ceb41aa70c242bb20c5edcc409128365c5ab87118c8c7784497dd69e95e5700878c08ed44a0104f69e28fbf142e487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4476061c551e855224fc7b780d0c7f28

SHA1
abf75f9a906aed48b62812e107d77e392a71fc83

SHA256
cf5a5535192a447545a0792223ad0234fa5d2a7d951121c2e8150cfe7fd0cf84

SHA512
98c10dc1a8b7444af20e6371c5d1ba45e8a65020d663b16848b1882eab538eae41ec6df918d7fc0351ba6671ae525c967ad1ae1238057073fe1c26030cc64b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
533ed9c1fda707f0f17cf1b6d31fe5ff

SHA1
c180c021042c4fcf3bf1ee84e8902a2a78530b40

SHA256
82ca7e326361cbf5a503e7aa53225eac171f9fa1bc8cf18d3997df2892b4b12a

SHA512
d334ddd0cf1a9607fbf98321dccd68a78d4b14f3bcd6eb810deb91ca55e8fb01eaa42e645ddb8f7a008370f18c97620d401907765328e03284f321e7cea7e42b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
d7a020c010fbde82614a77fa14526fe7

SHA1
2448b159d630d27598875af4fe92193fa17712d7

SHA256
a8c0b89f4d185c49176ed432088d9336aaf8e6a40eabf53e78c278a2f3cc8f44

SHA512
f3a33880f8c58b6fdafd6193cec9f7f7f40781b2684952bf94cf3022205cffe2a1bf3dc3953380ed30634504f9930dab16cbdef5b28d747a6b083c7fce24a9b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit