hxxps://tracking[.]offshore-energy[.]biz/wp-content/uploads/sites/7/2020/03/31125248/Terms-and-Conditions-Offshore-Energy-July-2019[.]pdf?cctw=AQIECACggQFMFVLWwN1K1vFjQM4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 09:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://tracking.offshore-energy.biz/wp-content/uploads/sites/7/2020/03/31125248/Terms-and-Conditions-Offshore-Energy-July-2019.pdf?cctw=AQIECACggQFMFVLWwN1K1vFjQM4

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607569270180123"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
5956	chrome.exe
5956	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe
Token: SeShutdownPrivilege	1440	chrome.exe
Token: SeCreatePagefilePrivilege	1440	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe
1440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 5024	1440	chrome.exe	90
PID 1440 wrote to memory of 5024	1440	chrome.exe	90
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 4544	1440	chrome.exe	91
PID 1440 wrote to memory of 2972	1440	chrome.exe	92
PID 1440 wrote to memory of 2972	1440	chrome.exe	92
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93
PID 1440 wrote to memory of 4540	1440	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tracking.offshore-energy.biz/wp-content/uploads/sites/7/2020/03/31125248/Terms-and-Conditions-Offshore-Energy-July-2019.pdf?cctw=AQIECACggQFMFVLWwN1K1vFjQM4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc93d0ab58,0x7ffc93d0ab68,0x7ffc93d0ab78
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:2
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:1
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:1
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4344 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4524 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3044 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1844,i,14006962073548638846,7533027612960809894,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3816,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8
1⤵
PID:5328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a5737099237593478bcd670555473760

SHA1
53bb70ff1729d5b26d36cca52f06affff293e2cc

SHA256
0e73b90473f43de9da1ab0190a2bbfaaac243bb32f7ead772da07b8d21a2869c

SHA512
9f2106cfbd2127925de117484fc31adea5f7b6abcb7a954065a1a284ac0f89b9edeb742db3103b5d114435e2acc0a2582360d96b95a8fd0089cebc14d35d10c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
378cfd82cfbf67efd3fe153db1b37d1e

SHA1
f494edba64054b4ca69efb9317211df79280aa53

SHA256
1a02946b4d981db325d24d0a134c2c17cc39ccd3fb1815654a7f64ac4002d503

SHA512
139f6bd0b048c098f87f931a39b384699cfa477259f4abd6bbb02b587583e3a4541da24060afa1a906bf369ffa7dc0e0960fe78253993582991d05538594de12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f237bb3ac4152fa9ab93d7cbc604bb97

SHA1
bcfa04d5bae73967a9e73953bb8f1f31295875ed

SHA256
67fc0b4c1a95b5e610b738201bb2534f829178671a8c5937a648cffa13896b59

SHA512
87da15396cea6746057ab0840ecb5846b21f029cf625ec250f95fe104b3e2ef32141f4ed4c5d295705a3b02fb763cf1000b78af3f9c3d39702713a5cdc105d39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
3a0be1096d8d685337d94990738943ef

SHA1
380990173499d02d2b9ed4f01f1f371c9c86ffc1

SHA256
e3371dcf10d05e12bbf985822227cff1c18e8cbc54aca27986660d3b5ffd89b0

SHA512
b94fd8b700a45427a1af5d233fe4fe9f84b489f41c3a7d057554765652b5e819f5b970474267e1dc60ce50f6a7b3feeab32158b0a65588a47fb15b17bba92499

Download Submit