hxxps://url[.]uk[.]m[.]mimecastprotect[.]com/s/9d1-C0VRDsq8kBxFwWnC7?domain=qcvvbqbz[.]r[.]us-west-2[.]awstrack[.]me

Analysis

max time kernel
258s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 20:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://url.uk.m.mimecastprotect.com/s/9d1-C0VRDsq8kBxFwWnC7?domain=qcvvbqbz.r.us-west-2.awstrack.me

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133561301776991871"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 532	4356	chrome.exe	85
PID 4356 wrote to memory of 532	4356	chrome.exe	85
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 5072	4356	chrome.exe	90
PID 4356 wrote to memory of 2752	4356	chrome.exe	91
PID 4356 wrote to memory of 2752	4356	chrome.exe	91
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92
PID 4356 wrote to memory of 4596	4356	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://url.uk.m.mimecastprotect.com/s/9d1-C0VRDsq8kBxFwWnC7?domain=qcvvbqbz.r.us-west-2.awstrack.me
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88f7b9758,0x7ff88f7b9768,0x7ff88f7b9778
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:2
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2832 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1880,i,2112159623856803234,13981077599437185930,131072 /prefetch:8
  2⤵
  PID:4380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9819008fdd5d80f4f2c410e77c2a04fb

SHA1
6e366bd28932bf8830056f26a5ba3562357447c2

SHA256
9968e2528c13af82a800503b011588aca8161564f4591e22130ee5c7595a0a56

SHA512
fb8dce760f0aed473e14becbbfe2f50d1ae4b82908ce0612e648df6da4f0718c3107e303ccc00750ce46fb78e0cafcbddf02df128b87b3867448b5068dc01ca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
829B

MD5
916e6e0a84a50027988c68695c442065

SHA1
9d8f1fd2019e47cba82d3ea4883550c760b13745

SHA256
e2a58715b7333f8b5d802a941a0d621486f0c2bd0192e6a05f0f63c92073630c

SHA512
8dba5691ce2b1d893230da5d7e4cc2a86e80ee8a33317883eec47f9c830711fc29e17b42513c347ec240e326a859aebf67cab326cfc85052854c513edc27f35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
23e70bd12fca754e78d4be882703ac83

SHA1
1f60962e37b86c54a2f66e60e85a0b94ebd8a833

SHA256
3b74790acaf721ad46a2b4a489368cf8ab06c57e013721cbf51526e88011a738

SHA512
0529806505905fbe295fc2446a06b9efdab94e1bac0d83654e65073ff6d909e9806ed1579166e6bcd72b8870f8e7ebc6b81c4e9ffa4da3b67ad0989678efc9c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
136472c35f3277a472339256d77ef1ac

SHA1
b40b8fbd460a6a6f031b833e12d2c38ba91a9beb

SHA256
d7d7c15ce75ade4833aae0d896d8c30334f89181b9769cdc6e6224c9373cd6ca

SHA512
3fce7e57e80aa632335234ce2cf114a998b4cf6c91373647f5b3fa977a032bc435b372a16e19d868760d1858ff4426c2e909b804962d5e1e28abc6bfab672719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4452a42a2ca3facbc13640f798ddd0b8

SHA1
d4c807bb6ae2d9b7950c68c3abb1b76485771560

SHA256
2053b4878a37af818e55c0ad68012449f201c9b25a292fe9fc93958f7e95c1d0

SHA512
1a7b5e38fbfef6b632d345eb948f1fff300b20ed2d2d9890793d3a45085f8d5d5ae5ab8e7227ce7d671ba7a072c1c22303f2652c0995be9a8219939f09812c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
e3214fec5afe4f40c4ee9acb5de3e6c7

SHA1
d9384fee9210cde295dd985e0f3d74a855ff979e

SHA256
ba7cdd22d7acfd8a67cb66087c6103d7fdb11b0076744eb6910c13123bb8e482

SHA512
b0e35c3946bfeaa31a29964d0df20842b50739b133d28e4980e148363204805723fa6c2c8e424498e7dda1d1e81d836f4b2ff37bc84aec3a9807576e31a76ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
5659e2c20e43461d8426de332bc34fda

SHA1
a31bc5df1f519848271c39e1ecaa0d104360b767

SHA256
5ecfa1931aaa4280bd02308693305228ac52491dc4ff50018a646fd2242dd7cb

SHA512
1dfe050b3e6cee60dade93d408ddc536d67e1388f00cbbbe48d6e423a296dd7b6216ad70d77e048db9664dae7ef4800b12e3e0a966dd289846052e16e01a5e4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit