hxxps://s[.]itsecuritymessage[.]com/2513501[.]doc/60322d/8e6223ca-8a91-4d55-b009-885a5604d62d

Analysis

max time kernel
60s
max time network
67s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24/04/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://s.itsecuritymessage.com/2513501.doc/60322d/8e6223ca-8a91-4d55-b009-885a5604d62d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584553479192288"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4704	2836	chrome.exe	73
PID 2836 wrote to memory of 4704	2836	chrome.exe	73
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 5052	2836	chrome.exe	75
PID 2836 wrote to memory of 200	2836	chrome.exe	76
PID 2836 wrote to memory of 200	2836	chrome.exe	76
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77
PID 2836 wrote to memory of 4824	2836	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://s.itsecuritymessage.com/2513501.doc/60322d/8e6223ca-8a91-4d55-b009-885a5604d62d
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb67c69758,0x7ffb67c69768,0x7ffb67c69778
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1772,i,3644549934384939645,9696301381400835765,131072 /prefetch:2
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1772,i,3644549934384939645,9696301381400835765,131072 /prefetch:8
  2⤵
  PID:200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1772,i,3644549934384939645,9696301381400835765,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1772,i,3644549934384939645,9696301381400835765,131072 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1772,i,3644549934384939645,9696301381400835765,131072 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4304 --field-trial-handle=1772,i,3644549934384939645,9696301381400835765,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1772,i,3644549934384939645,9696301381400835765,131072 /prefetch:8
  2⤵
  PID:4900

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0784a107-5ce3-4505-8f02-128fdd49ea8d.tmp

Filesize
5KB

MD5
bc87e6c37ba19a3941e727d62bbd3855

SHA1
86c14213576c6be384f6d310111abc4cc4e25e15

SHA256
1f805d9484787f5ad00930a905efe5fc57209532594a1863e59911cf02470c84

SHA512
d509e5b5b8a188954285bc8b09a67979788128057879c6ca2793244a9722b2cbfec446eccf3cb77490f091aa485d235b570925f35daac1581c5c30054d1469ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
f1b37caf4773bf97c6aa37d17a2ce967

SHA1
cbbcf43145a8f23cf22a0f285b1474d907884927

SHA256
48e83ac904e2c3ed7d40dfb738b5d5f9834e8a5414ff48e3eaeb6c436371760b

SHA512
715c298cfb6c4d2d3f2a457a66418d2c67e27ff65419bd8275d497045a5c95d3d50c34209c8f74835b5e2422651fff92673adf36982bd92b7a2834363397edaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
49da4c9e63901c0dab34b1f0f83af01f

SHA1
9efcf356c9fae0c44c6755d9b44a02d172864a1e

SHA256
16ad8c13e2fcdf901e5541ea38ea576664fa162e6a482bb6e15c4672c1c06b2a

SHA512
51f5abe50307fe497465de4661a4a5ab7c534d0914a88b23288f1847719f8f7ca4cfc565438854627e2437a4a308988a978f21a8b427144708c73abbfae1ef72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
2e7c7b7f47137d9ef3231d60ddbed953

SHA1
4503a3c4c90b9868be646ffb7a3693ffec1cae2e

SHA256
6d6b5067b4cbcb72d7006f4240483d3c7de2b797a5c449ae900b5af7b70aa0f3

SHA512
71359231fd5cf31d544404c6a2e43c9989fed24100cffab0e98bd264ec1b6139ab94caec6631a76a15943a6c2c3564e1c301a5b1e9173b3accfba3106bce6a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d654b15c8e204849e84d6ca084ee9427

SHA1
b24342ee61e9d47b9cf4435e15b07efbcaa44672

SHA256
dd8b2a67b968b78d07d9abae4cf250717eee526fb9b28efed62d022edf9972dc

SHA512
77720f2215a229baf455698aa3a094092c5b618b6b162b27f45a04bc064a60c8b2da7f55890f29adf1c863b3371cc2345d2557c3255b32df8602b6a98d07a664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e8aa9722b4caffb7723f338045983ed7

SHA1
2a76e075b208b11849f0abf655aa804cae67cdee

SHA256
8aedf278cab22329defb46ccd883b653fd4706dd835277d9bb3a2720c8330375

SHA512
eba19633d80942a53f80153a126573a1e40cdcfc46fe4eb259a4f7064dfc4abb18d85f9ac2b76723d76ba377dd906f8d9d9be8435dd78cff4e9a21ce8492f4a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
df8d81e8248e9dfe596d83ef4116f1be

SHA1
ad46a8f4b1154e23dcdaa88ece0f6d8198add7b7

SHA256
0d67d3f1cb2718607e462e81f17c141de2cfde9a2ffdac128e43c43de4b2ed86

SHA512
c28ea67569b10570fae2dde68c2b422eea9cf9a1459fc1d388a038eb91261189260f8d00951c9c772dc9f86f16b575df5e08d51351c8a347232b565a96fe595a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit