hxxps://form[.]typeform[.]com/to/aF4atdAE#email=mandy[.]rutter@iongroup[.]com

Analysis

max time kernel
33s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://form.typeform.com/to/aF4atdAE#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547311121035824"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4056	chrome.exe
4056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4788	4056	chrome.exe	89
PID 4056 wrote to memory of 4788	4056	chrome.exe	89
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4316	4056	chrome.exe	91
PID 4056 wrote to memory of 4044	4056	chrome.exe	92
PID 4056 wrote to memory of 4044	4056	chrome.exe	92
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93
PID 4056 wrote to memory of 3408	4056	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://form.typeform.com/to/aF4atdAE#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcba79758,0x7ffbcba79768,0x7ffbcba79778
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:2
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3932 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4796 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3952 --field-trial-handle=1724,i,5086871218161340850,16117509991819558922,131072 /prefetch:1
  2⤵
  PID:4676

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
1bafe54f06bb2059bf8cfda38f887c85

SHA1
b663c70d993f30fb5e9e1fc93f7ab0549624c5f6

SHA256
bce924eabe33459eeb65b496eaca3155618e0ff0bfca9442e0f4e0a6597db48f

SHA512
820acbe1c73d5f933963f8dd2e7d284f5fefae35b708bfcc7539d60456f2eb403dedfd76047049aa451d4470d4e05b9ebbd40ce900ba10fb87da2a39d398ec77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d4201d0af28242f67216b5baf033ee36

SHA1
afe48e8cecc85dd313872660cbda3e53c54a7e4c

SHA256
bcd99de4d47a106e004aa07e9b9af8c33d8794f22d4b49d8dac6e4b168d7944e

SHA512
73104c33e12bb2f0cf6a1b17a3e0219f99d1414cc6b315a41a46aea4d327dacdef801aeded663d54474d59b821a5957747f301406050e24d8dfa8459060fb62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6909dea9bc1437f4d98ff8b9b384dab4

SHA1
c9961c5d11631a8d36e8ac900bfc2acb0ffabf0d

SHA256
dbe84d40bf0d785a33f69e0eab8ed8e0f5943da25d826b450dc329dddd63efa3

SHA512
f475a7289b0b0e43fdcdce3be629efdb307b7d705571d5e847aaeda6f18a1c9b931ecf5e507104d3d625b21c3711cd1a1bdf7f1a829d7b2f1a74307368214f14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
49cb0d70a69b9fd625874372bc11e4f9

SHA1
873b0f119dd02ab16195aeedba207990006d0a65

SHA256
150e5ca59f471fb71604c8ab8bcc2e6d70d219da0bbc15c38e8d94e50e818b1c

SHA512
ca8c4cecfa8352f42d16b1e678598dec899270b781fdbce59754785f53ea0f11f41977d297d1fce75a64282274ad987303fa2c47b3641b583c9f623200faee33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
1c4f3ee04681cf0cc8dfeeac04df8111

SHA1
5aa2f7354fec5bc8e2fe1664bd8a300e4c1747a7

SHA256
bfc33a38f0b07e6ef1cdc513a1df4b2e8b01c1826eabecc297e2885fdb4c25af

SHA512
1f0b7604373672b1236559cc1999197c44226c4f9749b1ec482993e835d9aad8718adfdee8b78b681f7408aae19bb5562a8e6bd57d23215901e623037cb7198d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit