hxxps://c3yww04[.]na1[.]hs-sales-engage[.]com/Ctc/OL+23284/c3ywW04/Jks2-6qcW69sMD-6lZ3p2W510QMk5RZJc3W17Qhhz4z36tlVSDfWC49pn39W2d4vSl1LMzNjN3xMmVWTKy1yW2T9Rkv2cw_S4W38bSXn7hdcgxW5swqHM4BSYFLW66b9DX6PlYTpW64TKpb4s4cLSVMMn0Q1CYCzgW4BnKDx94LrrlW4_XNqY4S9brZW44WfgJ7kXqpdW6NvYG51KdRCJW7DpzrS8lbgT-W8Yf4q66C4MT5W4d0fQ14K9rF9W4njhfP4vVYsBW1zdcYd1x7txrf3MS2LK04

Analysis

max time kernel
45s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://c3yww04.na1.hs-sales-engage.com/Ctc/OL+23284/c3ywW04/Jks2-6qcW69sMD-6lZ3p2W510QMk5RZJc3W17Qhhz4z36tlVSDfWC49pn39W2d4vSl1LMzNjN3xMmVWTKy1yW2T9Rkv2cw_S4W38bSXn7hdcgxW5swqHM4BSYFLW66b9DX6PlYTpW64TKpb4s4cLSVMMn0Q1CYCzgW4BnKDx94LrrlW4_XNqY4S9brZW44WfgJ7kXqpdW6NvYG51KdRCJW7DpzrS8lbgT-W8Yf4q66C4MT5W4d0fQ14K9rF9W4njhfP4vVYsBW1zdcYd1x7txrf3MS2LK04

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547881776166285"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 2836	3688	chrome.exe	89
PID 3688 wrote to memory of 2836	3688	chrome.exe	89
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 3732	3688	chrome.exe	91
PID 3688 wrote to memory of 4520	3688	chrome.exe	92
PID 3688 wrote to memory of 4520	3688	chrome.exe	92
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93
PID 3688 wrote to memory of 1712	3688	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://c3yww04.na1.hs-sales-engage.com/Ctc/OL+23284/c3ywW04/Jks2-6qcW69sMD-6lZ3p2W510QMk5RZJc3W17Qhhz4z36tlVSDfWC49pn39W2d4vSl1LMzNjN3xMmVWTKy1yW2T9Rkv2cw_S4W38bSXn7hdcgxW5swqHM4BSYFLW66b9DX6PlYTpW64TKpb4s4cLSVMMn0Q1CYCzgW4BnKDx94LrrlW4_XNqY4S9brZW44WfgJ7kXqpdW6NvYG51KdRCJW7DpzrS8lbgT-W8Yf4q66C4MT5W4d0fQ14K9rF9W4njhfP4vVYsBW1zdcYd1x7txrf3MS2LK04
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5c959758,0x7ffa5c959768,0x7ffa5c959778
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:2
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4980 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3236 --field-trial-handle=1868,i,12825753980778528603,10666922854441664448,131072 /prefetch:8
  2⤵
  PID:4992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
07fe9ba0acbabb25f548f03ea29540a8

SHA1
2e55b52e3c5237b1b61cf2dc629e98364837bead

SHA256
8e70ae12db3b68b067add4d96327ab3546f8f05f8e0903277fd25d38c67ec633

SHA512
e8b33c0c8dcd5abddd3176720b84588e12305aa8e5494168af896fbc17d7c56a445228dbc6faec4478b6d4beb534e2e8b566fdbeb6118903f5ca80a7fa719d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
406ebacf974782a2b639c684fd3a1180

SHA1
ecdf664726d96e910d46433760f9885c7b0c80fb

SHA256
e9dd18bf2d7932ab572a098fb1a8651872037ab6a7e67871782ad6daa3e64038

SHA512
545014d48466937820a34c72ff98dabcb44e1393801841dc644313a93d2a1ce048ee271a21aa8e055cd564801faa1902e42f7bd779c9eaf50c83cfa4e23199cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e7d7660751903cc5023061ac80caccb5

SHA1
d5655c6f125b25c82367ffa0ca2d6b6c82ffeaf7

SHA256
ab290e7edf435480c561a37b24803b1f632de07a62143e4c008cc2248474150c

SHA512
6c8cacd711a2a624ccaa6f84e17b136edc35f4cefde98cb01a7cc4474cc65a5abfc050d8dce5a5c20c39d38891d3f28a084cf7ba17b0ce1befa0eaf91bc7266c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
60451430e674524675f073f7ce9a6218

SHA1
4608e8d034798454e963dcd7d1c0928b28438d18

SHA256
a0bc87de225bd920cf62d42bcae7166f3ce6a995f6fac807c507b075e6e3965c

SHA512
aa93017c718e6aa4f0fd332762fe682809ee9fe2623a44ddcaf09c3fe9f54cb315fe19e20f99ff83acbb103cf698a5bbbcce28fc344c9f0ab87b26e64ae2b759

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8aab364287d3d89d1a22c17307bc438f

SHA1
af36f6c1e458bad11c004912cc1aa95e8ba9078f

SHA256
0a226b81d1e6f4be157a2a401407ad917157e5c6384f501129b6b2427f793936

SHA512
ce6298a6000267ee7ed71f88d5ec00b4655efa551d090931c568b898e733eec6425a1383731d76d2e57e5f81d7d1b3861bfab4de37a497e321f16925fdc30b8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
17b282dd96436232ba6a111d0783abd0

SHA1
fbd460d6c7f564cfe9feb79f1b1fd21a202cf3e7

SHA256
82debdf4da716b9354c3fc98cc4e55f4428ec95e5607df5b87c4a85bea9e5d6b

SHA512
aac225a0e65621a1fa39dbf5ce1b9f4a50a9ca4bc6d4c2115cb2fe6081a95a578035d9206c106e7cb87c2fc72a2308a70d3734eb54e104a3e1864d1a9b237a1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit