hxxps://na3[.]docusign[.]net/Member/EmailStart[.]aspx?a=815665c1-2743-4ec1-9efa-9db2479c8cdc&r=f6abc7e2-7eba-4e29-a01d-0776c65fea30

Analysis

max time kernel
299s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 17:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://na3.docusign.net/Member/EmailStart.aspx?a=815665c1-2743-4ec1-9efa-9db2479c8cdc&r=f6abc7e2-7eba-4e29-a01d-0776c65fea30

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580204723698644"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1996	chrome.exe
1996	chrome.exe
5052	chrome.exe
5052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe
Token: SeShutdownPrivilege	1996	chrome.exe
Token: SeCreatePagefilePrivilege	1996	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe
1996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1380	1996	chrome.exe	83
PID 1996 wrote to memory of 1380	1996	chrome.exe	83
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 432	1996	chrome.exe	84
PID 1996 wrote to memory of 4144	1996	chrome.exe	85
PID 1996 wrote to memory of 4144	1996	chrome.exe	85
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86
PID 1996 wrote to memory of 1764	1996	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://na3.docusign.net/Member/EmailStart.aspx?a=815665c1-2743-4ec1-9efa-9db2479c8cdc&r=f6abc7e2-7eba-4e29-a01d-0776c65fea30
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe3e61ab58,0x7ffe3e61ab68,0x7ffe3e61ab78
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:2
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4496 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2380 --field-trial-handle=1892,i,10912689058347511781,10848497917827818138,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4393923bb16eb4b1e3b9dffc12045016

SHA1
7af9a60b58242cb85e44789dd867ba755001b7c0

SHA256
e1a578dec6c7d48cf2d7625725bbfb2b6847e250f13208da9d96366613182e31

SHA512
a6ca456069625a4671bfd8dc1d0c02fb7d99c0ff437a47241af2932203670a21560f6ff5264355a793fb8ae039c6334e96615dde1e709d87cc647f6e49aecf93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fc5b285513b2d021e1c17a78d15b3ad0

SHA1
468eb0d23fb42cfba403821a1b2ab4edd9b2d635

SHA256
435d358687a736734e3ae7646b844565edb4ec940e7c82863dcddb30705fb616

SHA512
4e9a57d598ace503f5a1762f109c8c589a468d5f0b59b394b602815795f2bb4a4efeea885c85225bf75a2529b125e54a4ffd031de8f1f471e04ae228d3a91f67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
bc86cebc0fb2f61d039cc7b464ae6cec

SHA1
061370a6f885268396af410bb40d44de560cfa18

SHA256
dc5b2fa31d37a2a4d5f6ed22ad513bc9cfc2405e6e9f4a52acd0af8240b78f04

SHA512
d375352d8967a5a47def74f6b12b96553e67d063fc87d7079eb2468b3ef27bfe960a9bf92f220e358373323fa40e48d57b7eaaf0ca3823cc4008157551fe3a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1c33909af6ad77480de6d954ca5afbc3

SHA1
0ff3f468095af9dfa79928ec7009d853eedd5f85

SHA256
39b83ec811fee28f5c766e1e9907f41df8c52e2bd8719565d3931a174e16c29c

SHA512
a91ace300e224f3799f4d385efaacfd0e0af88d7d8b8e6f1e5b685cd63cee3b9c8e40d8df9717655204b5785e3fbcfc4c6de310f03440dc96bef1d36c04c3589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9a874c916247447dc4adf70e730ba6d9

SHA1
2129557beb8ba37f0160aa0b927b39b858f49167

SHA256
46b8214733e65de519d09c3a6f63d412f303446e18dbd0ef79ebfee3d2ee437c

SHA512
4390e3bc0e34b24dadfdc913122deb3c50795381c8ef8e127ca9579332efaf90ec4e97c37e5809801d19443c7455ea831d53e1d80358d067a4e3ccec0c02714d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
28b37ad79802e358f87a60b30ba966f9

SHA1
de057d0933b37b352e4c66d59c19a1bb45c37821

SHA256
f768eafbc581b3c950f33a21af6b97960907b647bb00cfb7651a5403328e4931

SHA512
341d625a52a1eaa514b44d84f14f426044a270f6822b210362b1f4f3a94ce631a10cc062164f2800fed9cc43464a1f4eede3af57ca8fde24a1aa3c9ee1f6b209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
a8502d83d176b2f53ae0cbcb41b34d20

SHA1
414551e751153edd9237c8baf292939d9fe1db25

SHA256
1f695650aa86b1eb516ff5a02e0975643f176ccb235a42e423f8f3dce5a2d692

SHA512
325da91b7a29a080e1bca3882f8c7ff02ea594d098c9a3fdf46d2e01c85fc96333b932901cd127dee73e239993dfe4b039c058a45bb26a8a971f79b787b48172

Download Submit