hxxp://espace-carte-vitale[.]info

Analysis

max time kernel
149s
max time network
142s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17/05/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://espace-carte-vitale.info

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133604410213609702"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
4140	chrome.exe
4140	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe
Token: SeShutdownPrivilege	2872	chrome.exe
Token: SeCreatePagefilePrivilege	2872	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe
2872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 688	2872	chrome.exe	73
PID 2872 wrote to memory of 688	2872	chrome.exe	73
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 2332	2872	chrome.exe	75
PID 2872 wrote to memory of 3872	2872	chrome.exe	76
PID 2872 wrote to memory of 3872	2872	chrome.exe	76
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77
PID 2872 wrote to memory of 808	2872	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://espace-carte-vitale.info
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc13179758,0x7ffc13179768,0x7ffc13179778
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:2
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:8
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2668 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2676 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=688 --field-trial-handle=1824,i,7783073402364162568,15070558892041971006,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
566B

MD5
02155ac5171651f8a1cd51247eb08880

SHA1
08e4d57de453bb80ceb264b21e795b14df38dcdc

SHA256
8e8b6c506478e74338d563200041574854bae16bbe01ea8c066279c5c756eb79

SHA512
515fc51f5dc4330a32d4e103a953a623d56d6afb069b1eb6b708e32ae6bfd47a838a2e28bc749ca153fc797e854e32107f06762a144e6ae1a77b6c81b107d4f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e05963e0bd72697fdcc1693d336967f8

SHA1
4aee36af0a3dde42f1d9472aeda0757a2bd799af

SHA256
ac4df77f08410a7c3c6b98e26446af058be8aa4ca77e0241eed338658c3c183f

SHA512
06e8d125b3bc145ed1c12e9df676b160d154d6e06bb78a5fe611cf574acb70d91c70541e98e8753e784b3766ed18c0b45d8f333b1f1f42d9b7d3b562904ca70a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
56400fdece0541a30fca088952f9f1ef

SHA1
0e761d2d7f276f5ee7791468142a4d8b182dfe77

SHA256
ef56cd5ffe8efbd7e1eeae8955de80560abd2990bdb927697eb1ef9afb5424d9

SHA512
02970eed0a2ab3dbbcf656d77c403428b9c89710345c9d6df93b65831a05947f52285012db5efc7983373dcae9aaab854bdccd4fd1557e2e7e83af4ce618902b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
50233675ce35408d0183e3af977f4978

SHA1
f8a9d88d472f400580a99c5ea5ee5aa53153741f

SHA256
96ba0cd7c9567fb5953f7d2ceef18534559d4124dbbb464a7d87ed62440806d3

SHA512
f4bafd51e21d9ee59ff6b3a94294b76b0cbbb37bd3daccfe95968a26e2e1e0cca4dcf8f94b87cec1e6a8438203752d00d197c3835dc3329df2d3322c60d06cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
1bacd0e1747bc5469f8ae100a0694d0d

SHA1
f49d212283f0656c15a86551945a0ad942c6aa4e

SHA256
b891d32ffcad942b1310b12520e0ea6e77cf0acce8604d29f8f72f9eb12b79ca

SHA512
ee24e5022ff9186ae64c94e0a5b263d2b0a2ee751b97117cd73078f83d6430e886495c7374c0cdc54875d509e007063005d01303c0cc15d73e7d2e511a9fdd76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit