Analysis
-
max time kernel
299s -
max time network
275s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-05-2024 15:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ca.docusign.net/Signing/EmailStart.aspx?a=acd07022-8df5-4eaf-8188-4709523a86f5&acct=c0094336-a599-41d6-ae18-d829f343fec3&er=1f292e5c-88e2-47d9-8907-f762563fbc4e
Resource
win11-20240508-en
General
-
Target
https://ca.docusign.net/Signing/EmailStart.aspx?a=acd07022-8df5-4eaf-8188-4709523a86f5&acct=c0094336-a599-41d6-ae18-d829f343fec3&er=1f292e5c-88e2-47d9-8907-f762563fbc4e
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609534449314366" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1564 chrome.exe 1564 chrome.exe 4400 chrome.exe 4400 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 1564 chrome.exe 1564 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1564 wrote to memory of 5100 1564 chrome.exe 77 PID 1564 wrote to memory of 5100 1564 chrome.exe 77 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4456 1564 chrome.exe 78 PID 1564 wrote to memory of 4924 1564 chrome.exe 79 PID 1564 wrote to memory of 4924 1564 chrome.exe 79 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80 PID 1564 wrote to memory of 3364 1564 chrome.exe 80
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ca.docusign.net/Signing/EmailStart.aspx?a=acd07022-8df5-4eaf-8188-4709523a86f5&acct=c0094336-a599-41d6-ae18-d829f343fec3&er=1f292e5c-88e2-47d9-8907-f762563fbc4e1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xb8,0x118,0x7ffb0971ab58,0x7ffb0971ab68,0x7ffb0971ab782⤵PID:5100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:22⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:82⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1596 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:82⤵PID:3364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:12⤵PID:404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:12⤵PID:4484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:82⤵PID:4448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:82⤵PID:2020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1776,i,1935300730720599558,15517429464356149519,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
840B
MD56b64f8286a17766a1f40f6863722c1e0
SHA1a187a86acbf89d218b035f68d1a9441f60c48782
SHA2562206dfb9abf8bd9ba82ea06221b886ef5b4dd0ecc53381ff26f8aca359dedb97
SHA512c220f0241920e4605fb3c416e691655742828458abbd5e96dcc7e9ac581177819027c8511f69a36e9efa435b370ce4156d0f9663576d79d885976e3d365b6631
-
Filesize
2KB
MD5a23946daefab777a71591be84d8b7c55
SHA145d5bd4ed8eec30af69a1f33e9f49ea11100afcf
SHA25691e5362ff739a679f6ebf92ae23ce82f4aafc512fecbd88a28d1cb54c147bdd6
SHA512410664ad7aaf56b03373b5594e1e58b812b4788f27c95828679805a1a6a850e91ff2807e70b04afd9a709574fe298bd505ba6946888327b576f56843d08436fa
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD513c0acf248deb985bfb0d244d2606721
SHA160c944504721c27b9ee91333a2213cff75bb7a34
SHA256ececbb4decac30bee32e87e7151261b46b75e39ca6c6233a3f12c93c0770200d
SHA5120c7de4e09407b107997438aaf1dcfc21bb5f85de3290176c31a56d855bda2961f5dc431382094c60dffca92e4484e753043e6b7ab5ed5154cdb596de989d91ab
-
Filesize
690B
MD50dac1e12122e43a5a6f04605453db40c
SHA12a1b7e63050a948d40cfbf5ca5d2e2a199543ff7
SHA256954549ec7e076ce24774fc356566462e1aa5c4beb61575496c82377424d0f2c8
SHA5124045883f7a3b5850f0d4bcccb020b4bdbaad24fe3bbb240509f8c16f8ad2797fffbccaae79a02bd4e76939cddd360e8545263f2e2398f4395b603a8bd1b3d4bf
-
Filesize
690B
MD5e6507d6d8d25cb95bbedc2eb56d3a15d
SHA13f7e7445f7fb042d3e8eebcc26e06b65fba825a3
SHA2569917750046d20d2569bc9d57127866335f08ff3b687ad57d181a143707cf60a3
SHA512ba15dec3b04cae34041028448b5797ab3fdf4f75ae3150edd3d85ac861dbd252c2d5765da1b096102e3bd0c12da2a15f23e4eed08e0bbb87fdd53405cbf15323
-
Filesize
690B
MD52eb1a7c484b5f5dcf037ae792b83b8df
SHA1568b1617bf1eaf387b4fdd078f5ecc65d2b031ae
SHA2561fd493ff2c5dbaaa09fb039a5cbbabaa0224f29e5d306405858e34e8da65f7ac
SHA51290eda629ac25c4f20d5730994c45b82eebaaa896935b6b566af351e5ef950d01dad6ea858c7205380437bc46d5f4cbb42e04a9457b1124fdd8a02601d9d0b160
-
Filesize
690B
MD5b21ca8ea2023f763249b7bf4d3947463
SHA1bd4b47c76c1bf723cf606807932c145e2bc5bcab
SHA2566a66e12795a4f015ca09f711281319ed4cf4ff77876a6c7e52c216be2df7ac09
SHA512552c614f95eea5b576ca931706f89b00971693c2b63e7cbe37db294fedee0e21ecf4a8bcee00e28398775f6719066b46588f3edf4cce75e797473f9e9e6457dc
-
Filesize
7KB
MD59420c817f93e373c41d316e6f500e55f
SHA1098bad0776484feb32bab0e5e613be58e3a13a70
SHA256b76537529a66f95794e1e90827db9711b1743327b680626eb1ade58092877360
SHA5120fbadd40fbb32e38fe3287927d49122083a4474d1da01ffc707d70736d456ac9cc11cf9d5c434ac32e92d232e74d3fea94291f5224590607fcc1a24585cd7b11
-
Filesize
7KB
MD5c7d06bb6a51e812ff77db3cc2c4fcc50
SHA123ab4594d8088a5ef12099699cb4d8f9a5ad2828
SHA2565fe2f90b872cdd1e8d7142875ded3e8ad816bb1a7e32e21403d0d708d418fc4b
SHA51225c330e79d90517981dacfa9e9be4a6b8eb3fe32bf022a7c1104def3983a598ae60a3c5088205774322b2d874acd368728c2b37ab314c2a17b1aef6a6a1e0edc
-
Filesize
129KB
MD5f247136ce9a75e374b1125eb62c7b249
SHA1556337f71508ed69f5b5340731dc1b1d13ba4609
SHA25627ea25512d8ce5237dc158e41d6a93ebbe65a99972864c810424535482fe143d
SHA512adccab6085bccd01d624ae458c3a2617505601d1580e68a26d242e29d24845178b214fd7ffbcdc3d0938845393b52707603b01ea1b2f91816382b09a0ed6224e