hxxps://imap[.]cam/MmbPQ7XF

Analysis

max time kernel
61s
max time network
57s
platform
windows10-1703_x64
resource
win10-20240404-es
resource tags

arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
05-04-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://imap.cam/MmbPQ7XF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3892	chrome.exe
3892	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe
Token: SeShutdownPrivilege	3892	chrome.exe
Token: SeCreatePagefilePrivilege	3892	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe
3892	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 5096	3892	chrome.exe	73
PID 3892 wrote to memory of 5096	3892	chrome.exe	73
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 4248	3892	chrome.exe	75
PID 3892 wrote to memory of 2932	3892	chrome.exe	76
PID 3892 wrote to memory of 2932	3892	chrome.exe	76
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77
PID 3892 wrote to memory of 1952	3892	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://imap.cam/MmbPQ7XF
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd38a79758,0x7ffd38a79768,0x7ffd38a79778
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=276 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:2
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3732 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4720 --field-trial-handle=1808,i,8832587161837287038,18176546957868990310,131072 /prefetch:1
  2⤵
  PID:3248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1ac9b1c169bf93db4835c500e3ecdb33

SHA1
08af1797b2ec429bf928d8d469cd2473bfb99954

SHA256
1d17db19aafe6864d3d06328216f6598e26be1ec2dd41e5099bb10c81a06ad90

SHA512
90c7c7247dc7f9371eee42396cd8f43cb4bdd980e3f0e379a2979829b85a1ac9724774ea391f696f6fbbb53e571f71469d179b84589eb90caaa43cd670bbf67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
7bfa45176a1aef180246fdcba4579918

SHA1
4b37f666a8e2d44f908e1df107f3c0c46be56903

SHA256
455031cdf59fc95fbe8fb3bf8e6d75e94ead89392dc21b81269bfbc2a177de65

SHA512
7bc7d010715af364bb8d2e53863e4f5b3867e623829212e9894da0970389b920846cc2208a6ac6f55158d1904ddb0a93b9ac1b5d368e748f08155d5258f3d0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
82749247cb92f8ecabea63a9176f8b31

SHA1
2dc58fa8ca394901fb3977a01b0106038ddbe3ec

SHA256
6d260e475de1493b0cc965df8a67fd1543e0d6f33f49688cd9603759a522dd7f

SHA512
b6ff073f89595a3752ff4bc6ec5740eab1ebd50eac93d5c623c217f82839c2d32253461ed9a337b25802f338c5f6057c8be1605ef59e1192f1848e27489a471b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a78f3ee4bc842bd2e93993cc9ec47e7f

SHA1
38853ca815c8ad48cd8c8114c6f67bce9da03c74

SHA256
6e659730e8ed6074186f85da70aa242204a127d58162bf91452afc1a83280503

SHA512
c9b89e3583500d89b665b349850e48aea633c14990e88f0644f2946e9dd8f1dc91a4c2195e099cbedfafe0f08bd133a69c9ae35fa625d44458f45618cb164520

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
661ec159e8a0cf45a074883a7f38da9f

SHA1
ebe4ec5d6231cddc67e6f087a9839f356de108f3

SHA256
6ec9b72a4f922e001ccf194bd0caf9859183a480b2166725ca1fec57629d6fb6

SHA512
52c9c831eacf47389e13319fdd6c95d4e2755addc77a8d7a3737314feb6cbe8e2ad1717c36d99bc7bdf137026446ef14cb601292f129e80610a7048f1f226e0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
268KB

MD5
3abe37af365eab007c775dcfea799fd4

SHA1
8dadf311551473e4c52b572991404bccf9ac55bc

SHA256
fdde2b617e6b885d61bb1b915e750d59b949fbb0dd88573dfa34a5820bb122ba

SHA512
0bd2f0b6c20e93db39229df8b1d22cafc6af11b0b5ceb72214cc852860588583b3f30d4958b9f3c4e066debef9f81e0d6d64dab663f57a138e9f0ce6bbd5fc33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit