hxxps://na2[.]docusign[.]net/signing/emails/v1-192dac60d8e940478e90fb3b8e71f99f18d731026e064e4b8415754b42e6221f

General

Target

https://na2.docusign.net/signing/emails/v1-192dac60d8e940478e90fb3b8e71f99f18d731026e064e4b8415754b42e6221f

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609618817567506"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

5032 chrome.exe
5032 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5032 chrome.exe
5032 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5032 wrote to memory of 3240	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3240	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1740	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3052	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 3052	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 4700	5032	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://na2.docusign.net/signing/emails/v1-192dac60d8e940478e90fb3b8e71f99f18d731026e064e4b8415754b42e6221f
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9496eab58,0x7ff9496eab68,0x7ff9496eab78
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1844,i,15683031686979151463,8463506929538595692,131072 /prefetch:2
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1844,i,15683031686979151463,8463506929538595692,131072 /prefetch:8
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1844,i,15683031686979151463,8463506929538595692,131072 /prefetch:8
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1844,i,15683031686979151463,8463506929538595692,131072 /prefetch:1
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1844,i,15683031686979151463,8463506929538595692,131072 /prefetch:1
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 --field-trial-handle=1844,i,15683031686979151463,8463506929538595692,131072 /prefetch:8
2⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1844,i,15683031686979151463,8463506929538595692,131072 /prefetch:8
2⤵
PID:5596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:8
1⤵
PID:5668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
49eae33bf7c49a2b4528ac1520d3a559

SHA1
5ca8ab9a94a4827d456f220b56ea07624d9c1ec8

SHA256
da887c0a4b257a5a89ac707986c6d900b94a0f0fbaab71e2bcfc39d3e703a83e

SHA512
e35d8ebeb256516efcf7f30154e92a84d3b7d4769d4c5edb410ccdbbf01c6f6650a1ec51c88fde3d0bd8b3921a3b60f43913ed34d39f88baef02b95f1a8f67cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
1d69b725147519013dd4203f1061f58e

SHA1
ad98de0a3ecab00e9e113c0b10c405ea1fa4ec86

SHA256
d675f69a61a3fa6d42a0c002e6c012b2d4784fabb6205b537d7f357775a16719

SHA512
654d9586b0ba2d0c3ae30008a6457a090d20e47f1c5056005f9553de78ef91e9ec87cdbae81d7ce5ba492c6a543144ed4014ceaf88f9bb8eec17f5cb1ea7484c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d01adbbad3178974228e5a01b68b76c2

SHA1
b8c4e539cc6084ab31554346f1fee5723a5c42b7

SHA256
ec0bd617eb9845fbc06ed6e7ce090983375034ff9bf972683455a1b7998c0c8f

SHA512
8d9f675b6a10db3c8a8715cb6f172309f8c45660c1c8dca03a2e0284daf8dee05a421bcb33a4f013e17a731da887a4d110caac210eaca957e49d2c285922ab46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
445793c8e64c865edc4a5921b010ecce

SHA1
e2584dc01c5d2afeddfe6886f3598e3bf684ad6e

SHA256
fe2c259d923c3d245bb4b3484f1247a1d4ddd9453eba688d9451b6bc3f8ce079

SHA512
8d1315e76bfc571965db0f2567190abac91b895b321c432f21a6f85ea5169493c6444c93d9f168a105624f7eeb371a4e5ccc92500169a9ed6da81371f2323396

Download Submit
\??\pipe\crashpad_5032_VDZNFJSOTZPACKUX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads