hxxp://login[.]live[.]com

Analysis

max time kernel
71s
max time network
88s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
13/03/2024, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://login.live.com

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547960608463609"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1852	chrome.exe
1852	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe
Token: SeShutdownPrivilege	1852	chrome.exe
Token: SeCreatePagefilePrivilege	1852	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4288	1852	chrome.exe	80
PID 1852 wrote to memory of 4288	1852	chrome.exe	80
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 3960	1852	chrome.exe	82
PID 1852 wrote to memory of 132	1852	chrome.exe	83
PID 1852 wrote to memory of 132	1852	chrome.exe	83
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84
PID 1852 wrote to memory of 3592	1852	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://login.live.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc83a09758,0x7ffc83a09768,0x7ffc83a09778
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:2
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:8
  2⤵
  PID:132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4488 --field-trial-handle=1816,i,15163039875680600843,9215658886869931728,131072 /prefetch:1
  2⤵
  PID:2088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
af8de9d30ff2e23ba2320509f70e450d

SHA1
907ca882e53d20272fdf9f3fc89c25dd21c958fa

SHA256
991b614e5a71650eed35752bf5a6f77baee2e6492fbd23ec0bb5209b8bb0851a

SHA512
5baff014e2a4677cae9dd0a7c16a37a36ceb496752cee1f5ef714a6d3f5f0d88b03ae1f4aa6d0b16e9da965b91a6ecb06a0db7cfa9918950ae21dc106e4516c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
a1aaed5e720555b6d429a9696bd7b3a1

SHA1
4dc1f05ee0c381f9ce9fd0a82b2950d2d631e08a

SHA256
2a65ea7b708aae246198e0df14e0762d5a12564bee409ec6bbc306056d9ed324

SHA512
68a208929945ff3100ec95b9879e9cf14bbfb0d0c3d9a8c2813d2888365675b5cec7a01baacf4b00759c4cc551a3e9122c381cabe5ea417794a9367f2c605b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
04e632ffd2f0a3e434b7c76b361406ec

SHA1
ea817747cc369dbb3c726904bbc9964d9a461b9a

SHA256
7fdaeb7dbacb9b9aa668cdf14e73e7a42e985a25de579d1f590d982b487a726c

SHA512
0a6695b58f163b758f7dff5316151aa425a413211c1845371251f69d01103f0e8d24449787486291227eaf70cbfcf6ce5e411d5ec867cdeb2a11f0ea5548d4b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6198e201700a27764bb6b2e8e16fef55

SHA1
b0b6a0a32a043c7733b37337efff9490700f54e4

SHA256
e6c46720aac18276e8712740d3ca42272cb3680405c37f885c86d4cfafd1b986

SHA512
9580f453cb5fd403598724bcae26c20b897617960f5204d1a912833d13aae4342a90c4784a1390c42c23fe52b42cb527c870d3ccdd5bb0b0b8351bd6c0e5b16c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a838029fb5e37d49a735bcdc8fa7f05

SHA1
bc72309e5578fd69339308738ed9fa2fab234172

SHA256
c195d4ff135646e29ad35a8b75cbab87c75dec425e5b1397ee3159f16adc3334

SHA512
9229fd202db79d4f7576c11aa0dea4d8697c4c2288cd5654d665648037044e44210fa244570027a816cfdb7a380c0097704cf65d92dfbd77966d918a30209a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
5df9b5bfa56e45af86c94126a67d54a0

SHA1
6c75f6ad1256b9d240226a5469a3f93ff9ba1d7c

SHA256
e8eba89faa8c3d8f6e02fffa3796724baa1e686a28f52ac634ba7a1e0c7f2361

SHA512
77d6b1fb9ea9d876e9df48e61b389a676ec8068f5e49da87b9741635e60c7733ecc5f3815f4f39019778f42f7a01ef89d178956d9aaee6fbb6e77b2ea5e6b380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit