hxxps://project[.]microsoft[.]com/en-us/?org=org29a478df[.]crm4[.]dynamics[.]com/#/taskboard?projectId=4b45fc36-17f9-473d-8012-3fc9ebb21184&taskId=B4F95E87-21E2-EE11-9047-6045BD923B93

Analysis

max time kernel
149s
max time network
140s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
19-03-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://project.microsoft.com/en-us/?org=org29a478df.crm4.dynamics.com/#/taskboard?projectId=4b45fc36-17f9-473d-8012-3fc9ebb21184&taskId=B4F95E87-21E2-EE11-9047-6045BD923B93

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133553328892053389"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4476	4972	chrome.exe	73
PID 4972 wrote to memory of 4476	4972	chrome.exe	73
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 4868	4972	chrome.exe	75
PID 4972 wrote to memory of 2684	4972	chrome.exe	76
PID 4972 wrote to memory of 2684	4972	chrome.exe	76
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77
PID 4972 wrote to memory of 1312	4972	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://project.microsoft.com/en-us/?org=org29a478df.crm4.dynamics.com/#/taskboard?projectId=4b45fc36-17f9-473d-8012-3fc9ebb21184&taskId=B4F95E87-21E2-EE11-9047-6045BD923B93
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8e99c9758,0x7ff8e99c9768,0x7ff8e99c9778
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=256 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:1
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2504 --field-trial-handle=1736,i,17483687912390346477,3273866896045627866,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ed83966ea764d8dc27a2943cc56ad355

SHA1
42fce78725ad4aacf2b778c4abe3eabe65abbae4

SHA256
7b95b2fd4b90499e226eb037e6c73987822c197242c111b8827ecd0e4ec60d1b

SHA512
c440069fa55d8524758edf071696e2d3ccc6310315ac6aff2fb554c6ca8d297f2e9d8d62b6d32ae6ed3acecf25f325f1df52e86515e99a23a9759c00489aa55c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
83a2ada2e905831b1c7e4473d25eabe4

SHA1
39012364f00d5197cb4f52932df4446b4a798df4

SHA256
c6d035e23f57829b927491a16781b343e79eda04096c2c392841a996aa688ed1

SHA512
36733d3af40d0c4b445713110d1dfc76dd9eaa6d5c6feeef3866245f13592e27e63d64aba8ef374789162b51f4128a933a270933cd2828bec8d9790c65aa77e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
8a1a4daee7db5def8b90a7ccfad23ff2

SHA1
0a893ceadbc5e6d7ec36877ad18f063925567730

SHA256
566a88357ec295b1484379739c5d6bc80307019cfabc4fcb19417d1709b274cc

SHA512
c001807650e7a50ddf5b255d78c2930b5b399841abd2f375427ac0f560c3112644f968caeb06d7e56967164c56df4435a5847a09dba153bf264a0c7bf3d916df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd4eaf7025834812a83223b9bf2ec427

SHA1
d583b5cc00ce1de93779141ce97080e2d6a04886

SHA256
7289ef8ab5cc23771cc5de7655605578b92ae6b0062c036f636fd1a112b3a640

SHA512
9dc5027f1c34dc9e720342d069adc1f8985066d4c24356ec274a3f9a8dd5030cb89219f3d981f7a9a8027e608035262eafdfd862e967ca3c13981f645ab06272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a67a299a1beab5488039127c0714a063

SHA1
59d305cecbf75094b131f80b63f88dff67ae58fa

SHA256
34fe907e6fa4f8baeab7b9d7e38992109cc46fb62cb5b24b2c435494bae5594b

SHA512
55f7a507ce5d5926bba50c491d327ccc02c230dbc168423afffde592509730049b7438fc96659d6784aab8cfd37d0b8b5edb8ff06989faefe77e69136126f724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e9d5e8dba7a4f90011e2d161e8ac4503

SHA1
3f153d529531e21e2a858beeeb0273a0ee55efe0

SHA256
ca0afb7b9714e5b350ca7df3ee402841ebd5a66038316385d09acd6f1c8ae25a

SHA512
483ddfa5a7d7fd572e3cacc82357c10f9c55d8d7cb0591a09aa70a35beb75a3b85ac45f70b8576e6b025c2cd75df2d31ab9d4105720a3ca2e43cd7c5c4633bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
2023d33bb98f51865fad508ed408a680

SHA1
fb341339a3f92c593642068d0d2506c678e1cfc1

SHA256
08b4c0b72a47ba8829af57258660ff77e91e46c22d47d44cd2a4cf38569d1550

SHA512
927a45cedcc05a727ebb4afc16c769b51d155536eb09f5a53e9a39c9f4e5a04d5221e4a0f9d4bf060f7c078c5c132ba3331652b67b2ceb7b206561bbf3358fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit