hxxps://web[.]mymentalmentor[.]net/win_app/inst-33[.]exe?filename=MentalMentor[.]exe

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://web.mymentalmentor.net/win_app/inst-33.exe?filename=MentalMentor.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600114677033605"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe
3268	chrome.exe
3268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe
Token: SeShutdownPrivilege	2356	chrome.exe
Token: SeCreatePagefilePrivilege	2356	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe
2356	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2200	2356	chrome.exe	83
PID 2356 wrote to memory of 2200	2356	chrome.exe	83
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 3036	2356	chrome.exe	84
PID 2356 wrote to memory of 4536	2356	chrome.exe	85
PID 2356 wrote to memory of 4536	2356	chrome.exe	85
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86
PID 2356 wrote to memory of 1820	2356	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://web.mymentalmentor.net/win_app/inst-33.exe?filename=MentalMentor.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2191ab58,0x7ffe2191ab68,0x7ffe2191ab78
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4780 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4804 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5064 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4804 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1888,i,12593470069616409638,14560775371115572782,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3268

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4a67afe5eca93ec330e0a607b305c655

SHA1
c05227cee9d7a4a875bbdc1954c7f59bb9567228

SHA256
6a5b96ea3a1fa3afafc04fead1b57dd1b0121b12e1617284af8c1323c7e801ab

SHA512
1bf314751d15d9c6e6b1adcfc900430ae2c3bcd94682338abe42361452c786f3ad462992edd3e2206aaa715d356e62bdc098cdf46e44c64f070e465d8977f3ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9dab807b728230118b5f320077a6c87d

SHA1
784dd017b031db84d0c9bfa0436e4178c7f1c154

SHA256
5578bd52228515a364637c519a20ed54c7ceb10caf765d312593e3b7567a01f0

SHA512
1ea46df861ac1ea1994eabe92667d2098db9b6d8cff5e0749e42de6d5052ddbf6fed99edd9c391fce711726692be9e564384e666fc51109f5f228ec3af3e4c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03c9123802ea4f5957dab629c51bbf5f

SHA1
5c20d52c2b43ca51283e40fe1c96a528b000ae03

SHA256
884ebc83186ce51ce168ae011cce1134f87a7b497b2bab0fa7389bfbe7cb3800

SHA512
97ec9da56fe16941dfd49695d290d8aed7611794db31c509398aa6f7e7d27d1fbf106bece7722052afafa4b4e862b408137ae38c375b56ee1de3b621761184c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f15c5b6349c1ebadf2457aba870a586c

SHA1
6eb4550cf54948fbcf1c03aa6e0aa12adbfed00a

SHA256
e94b231101677f5dc27fdfe6d71a696a9b565d71dc997cd9316df5801e40dcd4

SHA512
74907fb5d83602341b079f70613a2bde2c9e83ef9e198665781292408ead3298e7e95a229be2b11fb711dfb040853bbb572ddd8525968ebba4e7b94352e2b446

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 681803.crdownload

Filesize
3.2MB

MD5
4403cb3b8b299528d40a2555d8395beb

SHA1
52971b252d0e259808f158872db478eef4ed94e4

SHA256
cad92559e7848f000ca084aa6e5434a2eafedd2bc2e5ff06a13b724bfd447359

SHA512
a1bd42758a68499dbce08cf99d6da6cd526914032a8129869da40c28f6daa4006b26b24047d40d0e4e11e325c97cef603172d5029bfda4756d5b94f0454fdb18

Download Submit