hxxp://wistaging[.]com/9423/Cipperman/#dGNpcHBlcm1hbkBjaXBwZXJtYW4uY29t/=promotions

Analysis

max time kernel
40s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wistaging.com/9423/Cipperman/#dGNpcHBlcm1hbkBjaXBwZXJtYW4uY29t/=promotions

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133549238560569995"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 2084	3880	chrome.exe	97
PID 3880 wrote to memory of 2084	3880	chrome.exe	97
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 1536	3880	chrome.exe	100
PID 3880 wrote to memory of 2804	3880	chrome.exe	101
PID 3880 wrote to memory of 2804	3880	chrome.exe	101
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102
PID 3880 wrote to memory of 2248	3880	chrome.exe	102

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://wistaging.com/9423/Cipperman/#dGNpcHBlcm1hbkBjaXBwZXJtYW4uY29t/=promotions
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97b949758,0x7ff97b949768,0x7ff97b949778
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:2
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4828 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4612 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4608 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3408 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3112 --field-trial-handle=1908,i,14091919024840901769,9872292672396775345,131072 /prefetch:1
  2⤵
  PID:5932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
cecae34d2228e2db12a0daf00851e988

SHA1
64c79382d8b239fbfbcdf4277233ce06677d5cc0

SHA256
7ff5d643121f296a0771e0068e8015f71c3f05219ec96538d486df45b3839de7

SHA512
6f15957137adb4e268cb95ad79e1c901603cf359434577364af6f6aa79dddd68b0148d7b406c2a60e60322251dea01b0bccab6b5139e1c90749491ff01050efb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
39df9b352827b47706be62d576cf426f

SHA1
4f1588b46f480b4fadb532d98220610293fce984

SHA256
7c83b427476ad818276fea743d1e5437b855b78495e0d048b8ef1d84eeaf7189

SHA512
268627c4067f3e37d51d1e9c27580a145f85e0f0d7783ac551d1ca5eaa20664873e52dd921197a3f3236292f233521505abb1e12f82cdd6cd09cda9812d4106d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
11aff56b1604f22da6182e5044618477

SHA1
f45cc3548b2322b361d6d2bce633324e3e1c09dc

SHA256
579a8c7339e1a3a36a2f392d11b23a2a0c7d16d1ec1d07f1b9b96295d3898a5a

SHA512
7bb4145e04591da7e0380c19d973b3e935fa6c9f019435c2ef3d03ba279b1bbcaafb4a2bae420a4763f38ac090e68fc290e3ffd73f132d33309fb610c8085ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4c6dab591305aaf42eabadcba275b1f5

SHA1
e31e714e32833022c7f9cd63761f8d668cc61dad

SHA256
bbeae3765be0217f9168bd55e5279ea579a08daf08287895c9811cd149821f26

SHA512
ce809f2bd3b939ac4a1a1ea16cb5a832b4f9af22af8b164abc0158187ca29a5c010b9d77d9dad6c301e6b6b1c3953ff4d685c35cf951dd44a21d01d1aa11134c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
a410a065394d81daa26dac0a871bf576

SHA1
bbd811f26900b24a4906c4d957f864960f2ac2ed

SHA256
79db1b98693fe863c7f8e29d23bfdcd3f68826b0a0ae221863e0391b5c15c680

SHA512
7afa90e7cfef380794db61022be4f157b7d2fc89b086431f43b012281b3aee46be9ef53cebc4a0d0e3d91773d5ba4f58e5785efa6dc8a899eb4f0f785f4f1806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit