Analysis
-
max time kernel
78s -
max time network
67s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/04/2024, 20:28
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ams_support.axiomupgrades.com/password/reset/52RNb8BwNuFdgynBM13CrUhTF1PbAYybNMhMdjkx7wsYeh0R6cObHCm8DgvL?email=al.bundy@saic.com
Resource
win11-20240221-en
General
-
Target
https://ams_support.axiomupgrades.com/password/reset/52RNb8BwNuFdgynBM13CrUhTF1PbAYybNMhMdjkx7wsYeh0R6cObHCm8DgvL?email=al.bundy@saic.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133564769536062098" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 864 chrome.exe 864 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 864 chrome.exe 864 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe Token: SeShutdownPrivilege 864 chrome.exe Token: SeCreatePagefilePrivilege 864 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe 864 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 864 wrote to memory of 1556 864 chrome.exe 78 PID 864 wrote to memory of 1556 864 chrome.exe 78 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3144 864 chrome.exe 80 PID 864 wrote to memory of 3804 864 chrome.exe 81 PID 864 wrote to memory of 3804 864 chrome.exe 81 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82 PID 864 wrote to memory of 2100 864 chrome.exe 82
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ams_support.axiomupgrades.com/password/reset/52RNb8BwNuFdgynBM13CrUhTF1PbAYybNMhMdjkx7wsYeh0R6cObHCm8DgvL?email=al.bundy@saic.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff913ff9758,0x7ff913ff9768,0x7ff913ff97782⤵PID:1556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=312 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:22⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:82⤵PID:3804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:82⤵PID:2100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:12⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:12⤵PID:2020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:82⤵PID:2080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1816,i,14113153298337594414,5553236958191250235,131072 /prefetch:82⤵PID:968
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD55656ae58a4ca972eb7ba56d28fffb4a1
SHA1bf0c29f6052b86955c30b9211c02413e46e2938c
SHA25667cf70082f1cb536a680c267837886e96211542363d0ac5c2234d36ab9a97417
SHA51290c59e8ff940a23f4641226f3a26435166525a68adba3e4944131f193d4acfed33df530af156dd9b5aab9bd7904c87ffcf4407b0d0c4848f822eb9a469da7f57
-
Filesize
20KB
MD5a44386502f79e4e2f0c9f91c1c0dfad2
SHA1f1106dfa8ada219a5600c6a8fd2dfdf93a427c52
SHA256ba4a4802c1982ae8e201da7be9c6ff31c017a367531bb4c4f1f5e722e095a59e
SHA5121c81e79bb2a2e0316317f367e4c9dd62314495cc6a6a5d8a3e0d080c1ddf48ed184c2cd91223c62b475833896c9c5706b5504322bc162f249aa9fb6717fe82f7
-
Filesize
504B
MD5bcb56f216dda313f2036e718c0f5e77a
SHA1ff20ffd250921cbdca4aaa5b40529ec4d474cd4d
SHA25675379bb7b9273701b77272e3a1360b8360ef5930239185a1c73d9edb1ef610e2
SHA51273de73bda8d4b7d6969bb7d2dd7d33e578a22f0f6674a4def36b27655f733a7cde41942248e95f40ee3d56b7748a47cd7ab024bea420b4e78270f6426ee6e37b
-
Filesize
1KB
MD557ab9cf606fc1f8afac22f1c43f3f69a
SHA11e3b53918c4904808bc77fafdda02d1b0ff1afec
SHA256590b984ebcb9238155ad07e762bb374fefabe18d7bc78abb93e21763e36caf19
SHA512de1d38915482684c6aad4787d79d7a374fb5b5a4b505501142d6ee1df97f70213f5292a46c7383a7ccfe6bf01ebb2ec01cb2241c66d8d2cb223ca4ddc005e9dd
-
Filesize
1KB
MD54e5be5fadec22899bb96381b82987749
SHA139a680a21a33548ce8cf5bef8d72e63dfa13bf22
SHA256c5c2c5b3233333e401df9880973b61d4514cc21d74b32f838f50bca21b28e4f6
SHA512567f7d32f43c280f3b92c5adc176c80dd553838e287a313c8d6f059a84a5e28cebc68335f0914d28b4c5f352013bd38a2a148a16ad33ea8b027450fc1c17c61b
-
Filesize
1KB
MD54d1238d8edcff10deaeb00aa5d38ff29
SHA1c8a8c518847b153ea7570e851a785a3bfe7aa2a8
SHA2567603574db46a3acce2c1fdb33ef708d74471f1ecd6e2b84293570497b58577f3
SHA51239f5c160f9c77cbaecfee575125fc6b59f7c0807e923638c58fafeb8436e07fe4bdc1342f467867e0179b8d91867ec06f47e1a4f0a0bb7b2e61787350c0dc0e1
-
Filesize
702B
MD53c6be906e3a65caacede3376c0a8a00e
SHA1d3a725f80faa3f9586da576466faad516424de3b
SHA2562ede8699cf0c2584b4eebda8959260319f885d8246f894fabd360da0900e0666
SHA512a77b4e7979caeb48833727e3e0e62e03f3af62c2295864d20f7bbb759fa98df994f95e4895614798ebcc55d6f5b6d215d8d67b17d96979e644796d758ec24bd2
-
Filesize
702B
MD5eaa034279c624a6255fe6163474b0242
SHA1aa495cce52723be134234935dcd44c56b5b8d8e3
SHA256720c92b28cb6c08f0c2ca4f8b3a30b09fdea9949ab5dbf3a0e565730c43c84ee
SHA5127b6ac75867cb28df6f9369266a20457a07345d15d07d64b4d4804dcfa38892c2d8689db5b4030b19b1885e4a488c76a5eb76921a2a461cca81638a6a27d4e17a
-
Filesize
702B
MD5b8e236f6204596004e0896d5ceea1913
SHA116b16256f379f2ed431b39d2418c65e4170a1ed5
SHA2563a5d7dc257d54066ab9b88d7f58ef9f24c6955c63e5f8d9aed72252a23905e12
SHA51225d41fe91d869650ab2372f8ef698c409ca5b2136a7ad1025beb92bd12b8a609b525096ec6b751fe5e4970b6d759de29a6d02f33a23be75ca750caa7017649f5
-
Filesize
704B
MD5388392ed001467a971c54615e1fb10c7
SHA181c9746e84fddf4a46a909fa544eeea77289c460
SHA2562fbaf9317a4a5b7455be52430f7319f05e6c91c4ebf48de67762b1f3e5626531
SHA512099ee3f10fdf8d1e0a93037f01f71c89c2c146b631625c4fcd310e7035b09703250ee9551959569a65130bdbfad287e351eced8d95daef3d2e42b59815e73f03
-
Filesize
6KB
MD55c4c0ec3cff345fe20d1cd5851e55581
SHA1f4f3a4b26094542078e61593973660478e714ab2
SHA2565977887a0b4ec94ff6cdd89bcf3b854e0f8427bb4dfea5b8ca5cc70fba83645f
SHA51276353a6afd1d800bc570f596ae34e85c025d386df64adb989dac63aefcd373f1857f2f3ef16b62fc1b5681a1ae0227056aa49ab3d1dd943434a5fe49944816ce
-
Filesize
6KB
MD573e900f118c098518a8bdf4b8b6e0c0c
SHA1585fd864382c0f4926a77542d3f94694c3794354
SHA256b3cdccc7d04ee5f25206ce8f29c63020a493ed38eea7b09b4ad904d16b546b58
SHA512c80959139476a55156bb7839fa300c35911a65ef2edcb94ed9c9a1818f24e66a2b92009d6d4b29ffea11d37d91f97b3beb8e54e423c7fb6570fcd23ca2905e66
-
Filesize
130KB
MD5d2c297fec5d700076156e8a01401f84e
SHA1c5f23fa52c75708a7bb73dd3012b91f0412b9ac6
SHA256c42ee202853021d105bdd97e0104d24835973bbd67e7be84f7181700f94b9b25
SHA51234d5339f3d118a63deb2e0230781a09237a8d7aea599467f31ff4b68306f0664935e4c6fd991c16d6c69a8b7e1bdc290261297b6488fed1ebdc122aa6063dc1d
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd