hxxps://us06web[.]zoom[.]us/meeting/register/tZIlfuuqqTgqHtRi0fFt0vOsIRlJmjxggbXt

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 02:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://us06web.zoom.us/meeting/register/tZIlfuuqqTgqHtRi0fFt0vOsIRlJmjxggbXt

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584854629898776"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeCreatePagefilePrivilege	1228	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3404	1228	chrome.exe	86
PID 1228 wrote to memory of 3404	1228	chrome.exe	86
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 1476	1228	chrome.exe	87
PID 1228 wrote to memory of 2872	1228	chrome.exe	88
PID 1228 wrote to memory of 2872	1228	chrome.exe	88
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89
PID 1228 wrote to memory of 2152	1228	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://us06web.zoom.us/meeting/register/tZIlfuuqqTgqHtRi0fFt0vOsIRlJmjxggbXt
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8ef4ab58,0x7fff8ef4ab68,0x7fff8ef4ab78
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:2
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1896,i,3430645652681516563,11982390988034095553,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
a017483d9ab6e8e261c4d1265fe0f830

SHA1
a1e686583fc8c3ec81a2ec654fde51a5f0b65bc5

SHA256
7b51ff03d18212765afe5e0ea8ccd75a86ddfd5020b36cde711efba54acc9007

SHA512
04acc332f3ff67f6448226132f1602543b19065398690a94ae7de9fcc9a0ae14c73f1df90da2179007f41ffe6000a3f98113946adad10ef5abe8f44db9884182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8b741af64b620554c7ef56df512aee37

SHA1
8235c5ced027c6e2c2b02fdde89e0bc84bbae762

SHA256
d7fc5abe6caba977f09d8064fc30adce8347ac2476cc6112d79f58688443db8c

SHA512
b43f19263cf695551247b7b61aae0f8d65d52f60eb7a4f8b302e6afa0827498aa634edac4b52026dba3bfa01bdbb690f7fc9ac21acab2af178fe692285901857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c8040b737e5364175207d509f6389b0e

SHA1
73e9e01ecbb655905ababfd432469a514204c691

SHA256
86611385ca970690d4668c59335b9a9673c4eec23d5017c92627ac5293f443fd

SHA512
1233ac1830b4c454284a1e0e91c37df7256774685b67235a2d20b10b67feb768ca3274f22a971e8ba192514476a6fd4c0cd8cce925bb30e25d40f62b1e2d5349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
54a8604bc9bd8146e0dc943df26c8bb5

SHA1
17d0d44b930219bb14c80ef6eb0688c92d351a8b

SHA256
aa424c5690c7a60f9806a6907ef4124e7d55cbb12b6d7d25dfe6b8c630c89e4d

SHA512
eb0170df7647592e9a158d8594f6693904781147128a233c4c8c76bb4fac5d90d71a2a7a84351aa863c6e875cc3bc1e086ef85121601e3caefb79fb338d2244e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
b1d1d7b72d1b0a76064cc2fdb0e235cd

SHA1
6b62a06c21f44161eb4241b78265fe07103c69bd

SHA256
e349bd2dd0e674a26ddc4fc40468472668f580e76f9b6c78b1153879091d62a4

SHA512
b1e0a6938e9c56a7b9af98be76e455c6e57793f1b52ea6f34c3967226d4c33375483e59ac171152a87aec7cd41e240b8c515d59e1a1178101eeb427c69f2b1cf

Download Submit