38a0bbafc75a84c04bbe56270ae10439f124227d93643ebcee8732aabb61be18

General

Target

email-html-2.html
Size

1KB
MD5

a48470abf11448ff56c3ff699425da49
SHA1

0df5acc685d76ba7b699e406e41b56918fc34fbc
SHA256

afd3a945198bc8ba3a77cf2d931bb4b6e8f1aeb4bf8ec74f8ab27bb8ad69c776
SHA512

346fab6ac33efee80c0a49fde181cbb776a0c47d1e4d42c79831d9bcb9d764b372479623f0bd1d6142e4c1eae7edeae5c9ab951679be558500184cece651c3c0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585123212628791"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2812 chrome.exe
2812 chrome.exe
1280 chrome.exe
1280 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2812 chrome.exe
2812 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2812 wrote to memory of 3032	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3032	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4052	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 444	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 444	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 4832	2812	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcca029758,0x7ffcca029768,0x7ffcca029778
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:2
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:8
2⤵
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:1
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:1
2⤵
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:8
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=164 --field-trial-handle=1820,i,9050588722829292774,703863060179829830,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
4c6b1299e8d925368dac1bad7d11a694

SHA1
63b240169b4196c3b1f265deaf7060bc5b58afb7

SHA256
c9f88fbc42ab4bc73980d2e19485f1a5fa7aaa799c88eedf46edca2f30131436

SHA512
3872b57f38150fc12fad63f078c03535ecae0a9e82b8fa3445151cec92cb064d5f8b15cf851d37d3c552ee2d8233bd4b065229a37aa20be56793b17f853afe8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
d44ce1d24f08f1156f035d73a4c8a00a

SHA1
a8570a556e20fee053a0a6324a269a00fca00731

SHA256
179da542178cd64ac3c3ef2b169b7df1f9f7abf226b4e221c7dc2396f555b2fb

SHA512
18f813fe8df875b6d4f51467e3b5fb71e9728109513eef6afcd2a8fa4a74b0b7acc52a4d5e91b910630bfa03552b660d3dac74494f4a0f9edae6a4fb6c19abb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b0543c62c5a2813bd6bd2fb1458c5ac5

SHA1
b05a8b1c3cd5951f7a91d1c874348106dbf3db56

SHA256
25fb92eb419c67b513be86ef199e65e9f6388ad7b2c675406a3d17bc573e2a78

SHA512
e8aeb56d1a32ab4c4ecbf12791a52a17f51cf9053abf6b83036b85cf15526ab72e3c14916638e601797b45e0237ccba7255553ced2aba196f660f84c8b7a81a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
84f518e7b71dd07c195a2c77cd62b2f2

SHA1
04991cbe84c33599f018f86ab27a8f1d9d8d4676

SHA256
ee99dae8a7bf3c7474fe9bf5911440015146bec4a846dccd237f0d6f5d36d155

SHA512
d9d87c775d8c26f70145ef58933ff7e14c538c447392a53df7011cc4603b993cbbb5486e75e9cb0f2e10abd571d9ecc83c2cd60c8eece4198f276f53a97847ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2812_IZIKLPPURZZAIAYS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads