hxxps://go[.]ideagen[.]com/e/991162/s-in-the-public-sector-webinar/2sxj7/361331937/h/mZTvazBnzhhaxKyrSOfKUkkVcvdalMfJMt2Y43a4G40

Analysis

max time kernel
301s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 16:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://go.ideagen.com/e/991162/s-in-the-public-sector-webinar/2sxj7/361331937/h/mZTvazBnzhhaxKyrSOfKUkkVcvdalMfJMt2Y43a4G40

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133536121584254330"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 3412	876	chrome.exe	35
PID 876 wrote to memory of 3412	876	chrome.exe	35
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 4332	876	chrome.exe	97
PID 876 wrote to memory of 2492	876	chrome.exe	98
PID 876 wrote to memory of 2492	876	chrome.exe	98
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99
PID 876 wrote to memory of 1896	876	chrome.exe	99

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb31419758,0x7ffb31419768,0x7ffb31419778
1⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://go.ideagen.com/e/991162/s-in-the-public-sector-webinar/2sxj7/361331937/h/mZTvazBnzhhaxKyrSOfKUkkVcvdalMfJMt2Y43a4G40
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:2
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4968 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1908,i,3949963830110291137,4135349884712774078,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4180 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
102KB

MD5
e8dade46d63456f10ecaf46509ff6760

SHA1
408ab2e43699a05b3927b1911b928a300063e004

SHA256
be5b4c8ee47713f7c10103d691b6ffae75932f223a8010bcc8f6faad52227170

SHA512
bdf8695d6e28e269e33278218b4e7e546058bbee0d1da6c459cb653b67a5c828d4729b283e641aa84268fa0eec75ff5d31e9f4115b9b6ecbf406b9d1fbbd4b2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
76f4feb7a48d5caed37d4352115a1a7f

SHA1
793a994cf81fe6e2169c02841ec66ac64103a97e

SHA256
cabd4c22f4461848625bedc6d5a09684327608bf0fa9a38f4f7b9d9acd8640e6

SHA512
c6af7500e796bf6cc397c985293b952249fc4cf3a5ef913ab2c914d69c5e7bafeafc16e7f85cdfeea9713106933eedc5faa3e97ed3dd0ef373b3e5d378dba0c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a5dc27ad89d42befee8cd1426041659e

SHA1
92011e03f658c38b1bc24de63d41c1351f6affa8

SHA256
67c101d3706f9a8a9f4fc6ef0b01c6f67737ca92c64c5c6134e469b6b79c0b4f

SHA512
6b130c2010e1e52995c4e17094846e8942435a9e06f60a392f6acd4a81d0f0ffc444210020206d1eb901db2d215af9abb9a858316125f492785cf3749723155c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
50d797c9eccf8d9763eb379262a6c2af

SHA1
298b87358ed4fb15ad75ea7728578d7be568e9f4

SHA256
84695abd69768704fe5ab1bdfbe33366166ecdc22c0cdabef50456ae4b81a3f6

SHA512
4354370bdc7fc3ef8987eebf1d31fd87783d78fa54e234219829a62fd22539613efba0c98997d83104ed8c1c5fd6ba78e1ad754360182c19c1cc41dd90c8d141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
979e27a47322d63a170c3e5dc1debe56

SHA1
de653ed082cdc3cbed732174a0ced2580e7635b6

SHA256
61c4d8dc61d4b765167f69243a211647bf0a58654a7b1076fdc83fdd9bf54297

SHA512
4e61d436aae2a160568514400fbcfa65337e16947f7f8ca9d3de5c5c5532cb583991c4a346ac236f9e8a878fe6dbbbf0201959cbf841d3ac8a2b3393021beb15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
85a0861b202f8a50d756432d87293672

SHA1
f409fd9630a95101d4b80d45516f36ffc87cc163

SHA256
420426aa679ebe830c62ad26af57a91009509324f58331a9949c978f4bbe6a55

SHA512
643e2a85cda204d77fc6a4f4316fe7e8acd8816668b58cf0add01de78faea70b457ed06a9a3b10720913b7173a1e701cae024b4a38b54ef3ed6a1c5a01fea725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
6492ff064b37df07c45f2bb179324217

SHA1
d738519ecdc3b0b33a5cbff614c3df5c999fad0f

SHA256
84cd9d7e9a1a0af4f1ff2e29cb667f30b3d3c7500cf732b4566ea5acc8712180

SHA512
346a6455a342600544392716d0b21fed05c28816d29999165697ff1fc65de06360e7c4cf3410a85ade573ef5ab6a602375df04228a600533ed7db0b728a4f9cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit