hxxps://url[.]us[.]m[.]mimecastprotect[.]com/s/btloCG674PFNBjEJSK0eiM?domain=hub[.]celtra[.]com

Analysis

max time kernel
59s
max time network
50s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20/05/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://url.us.m.mimecastprotect.com/s/btloCG674PFNBjEJSK0eiM?domain=hub.celtra.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133606436614276035"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	chrome.exe
408	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 1320	408	chrome.exe	72
PID 408 wrote to memory of 1320	408	chrome.exe	72
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 924	408	chrome.exe	74
PID 408 wrote to memory of 368	408	chrome.exe	75
PID 408 wrote to memory of 368	408	chrome.exe	75
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76
PID 408 wrote to memory of 3520	408	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://url.us.m.mimecastprotect.com/s/btloCG674PFNBjEJSK0eiM?domain=hub.celtra.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffab44c9758,0x7ffab44c9768,0x7ffab44c9778
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:2
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:8
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2844 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3828 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2900 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 --field-trial-handle=1836,i,5869789636842744855,16246007613802743228,131072 /prefetch:8
  2⤵
  PID:4212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
c8b6e3e70aefd0a9265a6733136783ee

SHA1
1921e8a21ca2207ee9932743434c2b54447cec1c

SHA256
62e57b2f646b3b005c9e0d63a813c25f486bbbdf5b19e8ceab01b5951423a66b

SHA512
63cee60acd0534487c3ff4fb2a23e1b596bdaf5fdfdfe569f9342b6dd225808503317edcf31b2de0801889c6b3f5759353624922862f7cb65c92187651396558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
8664b26b68f77f3d455b4ee82015ebc8

SHA1
ebee348c4eec2a2c358cde1cd923461abbc72c51

SHA256
66dd71f47d66ee3d729ec9aadad321d1637a4a144058d64127458032d6ef8799

SHA512
6a05da3fb3b2db7ed960d8ece1ec5eefe064a33fec079a317232d8760b7509940683609f874e3192832b12060c160ed3c1654e86bc7a51f6f80a5dd65a45432c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
743f812d1a45f8ada419d524d17e9abd

SHA1
6bd159228ff9c0879c5a0d0b350afaf8f069f454

SHA256
51b3932fc138c7dfef6fb221dd6aeefcc9a2c0533fdd8d000407548b1a1ec256

SHA512
c6a9f4e3428efaf6a37f3a98d95eda8edd3073f24aec2a57e37c67ab95ac048ca427d4f1168bc694577ce5ae9a888fb1359d0e257b05bce11ed7168acfbf0bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd5f925e9fe0b9fb4fd2a41a604543e5

SHA1
f660738529f6b3239289d547931b00df94ac26e1

SHA256
80a49b4c8870f5f2d84400b36770b58a5dd53391b8582a35e1943fa584feb35f

SHA512
965eb65680bb668d61282e0357d299370f65497b4f3ae852dd78764ecf645fadce323e8b21092f75aa85525c67c543fde03dede0751b5d8f0a0a0314acb4df24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a4b718ca066ac2b694c5015f7c31e7ed

SHA1
9563aec4c10260c8cee72e16a95632ddb7d7c269

SHA256
375047f3166ccec384a7028e8bae9e23b0444434f77012ac176c6291abe59ea2

SHA512
c3deb90c23660580a5c8a9fd85c6df5f354c3785ec99ce81359f00f5f5f6612a121929d87547645e601e59ac689cc9c9e14f7364be755194bcbe513ef2b87d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit