hxxps://emailtrk[.]atendare[.]com/f/a/1eM7hiOrZpTv_a6aRoNafw**A/AAFmogA*/RgRoHLo0P0SCaHR0cHM6Ly93d3cuc3ltcGxhLmNvbS5ici9ldmVudG8tb25saW5lL2xpdmUtaHVkZGxlLXJlY3J1dGFtZW50by1pbnZlcnRpZG8tbmEtcHJhdGljYS8yNDM5NzI2P3V0bV9zb3VyY2U9QXRlbmRhcmUmdXRtX21lZGl1bT1FbWFpbFcDc3BjQgpmMzQ1Oma27WHMUiFkYW5pZWxsZS50ZW9kb3JvQGF1dG9nbGFzcy5jb20uYnJYBAAAAUs*

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://emailtrk.atendare.com/f/a/1eM7hiOrZpTv_a6aRoNafw**A/AAFmogA*/RgRoHLo0P0SCaHR0cHM6Ly93d3cuc3ltcGxhLmNvbS5ici9ldmVudG8tb25saW5lL2xpdmUtaHVkZGxlLXJlY3J1dGFtZW50by1pbnZlcnRpZG8tbmEtcHJhdGljYS8yNDM5NzI2P3V0bV9zb3VyY2U9QXRlbmRhcmUmdXRtX21lZGl1bT1FbWFpbFcDc3BjQgpmMzQ1Oma27WHMUiFkYW5pZWxsZS50ZW9kb3JvQGF1dG9nbGFzcy5jb20uYnJYBAAAAUs*

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
1996	chrome.exe
1996	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe
Token: SeShutdownPrivilege	4700	chrome.exe
Token: SeCreatePagefilePrivilege	4700	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe
4700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1216	4700	chrome.exe	81
PID 4700 wrote to memory of 1216	4700	chrome.exe	81
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 3840	4700	chrome.exe	83
PID 4700 wrote to memory of 1740	4700	chrome.exe	84
PID 4700 wrote to memory of 1740	4700	chrome.exe	84
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85
PID 4700 wrote to memory of 3904	4700	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://emailtrk.atendare.com/f/a/1eM7hiOrZpTv_a6aRoNafw**A/AAFmogA*/RgRoHLo0P0SCaHR0cHM6Ly93d3cuc3ltcGxhLmNvbS5ici9ldmVudG8tb25saW5lL2xpdmUtaHVkZGxlLXJlY3J1dGFtZW50by1pbnZlcnRpZG8tbmEtcHJhdGljYS8yNDM5NzI2P3V0bV9zb3VyY2U9QXRlbmRhcmUmdXRtX21lZGl1bT1FbWFpbFcDc3BjQgpmMzQ1Oma27WHMUiFkYW5pZWxsZS50ZW9kb3JvQGF1dG9nbGFzcy5jb20uYnJYBAAAAUs*
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92780ab58,0x7ff92780ab68,0x7ff92780ab78
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:2
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:1
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1900,i,13347985716454943848,16411297452313147192,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1064842bab3f27b14ec9f66ac6b8ec00

SHA1
23c84f641a91c35bfef203e237b750553c205f8c

SHA256
107eccb3b7c85fb54711d652dbdf250feacdd63467a60adee4e8ea7ece163075

SHA512
9446b4d849db017a7bb91028c2f382fccc0c8c9d97e5979a5ae203f77520043ec8a3a21ee1708710ca3715ba47b26620dc7511656218bac71b10d52cd0e79ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ef5a8e796429bdb730bbb507f8cbc1d6

SHA1
fdff33ba337d50171b90d67a5dc2d5fca4a9fc96

SHA256
63b7643a6ae9413c19ed8372e12eb49b7e19374cdd2bd416363f65d422c18453

SHA512
4d8ace2f819afd1eba020b42f779b3a4edcc973facdc8f7240df18d3e1fecba5b350c34be956291c29d6acfb117aca96828482a4f1bfecb1aa1ab20b60b5c86c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
edd2d9cf767a96899edf21f0d582e673

SHA1
09ebc271e0d7f0843897788f3493b38ded7ce760

SHA256
b092e2acc46fb6e56bce3c9474af3c6166258a56918ee7f3f63a424aab227950

SHA512
bf31e4ac34af7f87080b08e79ecca4ee77141cca2ca9e40aa10167dadd0d87e15a9bbfafd63bbed29005560174bee36850b2679d96fd335dde88b29169499b9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cca1d5fc10032f91a7cbe477dc21462d

SHA1
8c93ec53ebb8b5c8d4d57073a6cd93977dc47366

SHA256
27d1436fa6f3aa2b9315fc63a47efa3d99a9f708e4f7f8008039d8542eddeb49

SHA512
10d6abbdda39b7ca30637ced61b4aa8f16f6a390366727148c4ab710c30426ff1b20582dd9b736aaa6558a369ea9d52f2a05d87f1019a5235880dfe62c4565b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
642ffce613ce1bfcc3f9c0eba8567d7d

SHA1
ae490ce5a562573f9464b592e34ff3de7a63af67

SHA256
3484a3a6684c292c7f3888354a60de7fc704313096dc623f07fc60909cc5236d

SHA512
a7ffe82bd70622816544eb6c5299c381003f763329099b24a7ae4a59fe466f564e037ac72a5fb37737ed8766a3e2e4d946419c236a8ae3051b4b223cad4ace30

Download Submit