hxxps://airtable[.]com/app4B4YxTAYZlAdhi/shrXmIX6fz4sJM75z

Analysis

max time kernel
45s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23/05/2024, 20:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://airtable.com/app4B4YxTAYZlAdhi/shrXmIX6fz4sJM75z

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609688000960221"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
396	chrome.exe
396	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1820	396	chrome.exe	80
PID 396 wrote to memory of 1820	396	chrome.exe	80
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 984	396	chrome.exe	82
PID 396 wrote to memory of 796	396	chrome.exe	83
PID 396 wrote to memory of 796	396	chrome.exe	83
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84
PID 396 wrote to memory of 3684	396	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://airtable.com/app4B4YxTAYZlAdhi/shrXmIX6fz4sJM75z
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff72f7ab58,0x7fff72f7ab68,0x7fff72f7ab78
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:2
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:8
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3828 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4332 --field-trial-handle=1800,i,12510107804754487447,4587560609827089662,131072 /prefetch:1
  2⤵
  PID:3344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003e

Filesize
672KB

MD5
3e89ae909c6a8d8c56396830471f3373

SHA1
2632f95a5be7e4c589402bf76e800a8151cd036b

SHA256
6665ca6a09f770c6679556eb86cf4234c8bdb0271049620e03199b34b4a16099

SHA512
e7dbe4e95d58f48a0c8e3ed1f489dcf8fbf39c3db27889813b43ee95454deca2816ac1e195e61a844cc9351e04f97afa271b37cab3fc522809ce2be85cc1b8f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
413394af7cc84678ad9bb193906748c1

SHA1
bbd862b33dcdb057c1a11ed179522259d4b9cd37

SHA256
e53dfe64f30328e3d7636c8d7e05167e9d401ac64e1f271758c0b30ce6039f0a

SHA512
bde393edd39e642e3f05aa3689ba283471f990af5b61e81261924e5df337e578875c08e9eef2cd65910b1c89274f4a3fe3d92a8c7badb9d8ae8dd01e06a01d13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a81af430d4c2ec2e3c4c0f4ed6246320

SHA1
bb7f4f7caceded13d35108cea707a56de3527912

SHA256
60843f2dedf9a03b2e4997e24803b680282974bf1e592207246b56e3c69ec904

SHA512
cc1bec88728321a412d596e874b30f118749ba4e8923731d38f1949cd99201f8a70c3ae50c8096cb204bec4b9abd96be64a262075711d5397fa6306a473bc23c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
b3557a7dc1292bd4aa5763a48745505e

SHA1
90b1d1bff45711578f006917ec8359dedf23431e

SHA256
92fa79956a45c31da4e420351c0253e0d5dc950b69118fa33c996923d2320e10

SHA512
7a977cd099fa5228fb0798c369fb213bc29eca30ea37b63e15dd0b3f35257f85834fc3b1d63bb5f9cebb26de34fcfccc87b08d1873a672de5cfafc74d2dadfcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0d804180b4b324cffaab88d9d26f92c1

SHA1
a77dc40215b4a62a2fddbafef0fb09699d495999

SHA256
a7e5405db14120b934e890ecb8eaffc604748493843ec346e821205beae32d49

SHA512
be36e340336a0a711445c4664628f9011a2b891d3d70ca1d6986bab92ceea686e8f33b4ae947d38c87094266165c834f33f69eb70d3347dda061d5667015ae27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
00d7635f356f98e118f24fa02fc50878

SHA1
cc496af047d44ca39e5adbda3fac86df10761ff6

SHA256
0ea6929afee1cce6d2e84f06b991fedb133549bc7f3f367f975881390dfe61a8

SHA512
11da66ba1ab889c6ca0318259275ffd8202b70270da5acf6c04ef79622514abd0eccb1c1cfd6150ccdc8efe34867defe5ba90558c31db2b34cb2933bc8a67514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a27e5bebc3789b1dc23f9a2ba9b6870a

SHA1
88755196f4c36011cf631544659fb2977457cb28

SHA256
40db6dc4c0bd507a33ad0474aa2b7ed9d862330554d496a1b58eb6fe81b5f12d

SHA512
0a6d194c1079fc3156e7cd143f55a8e4b837eea1279957669125ff6baac67ab4630e915219b7718f3ea093452d26952206ae60f7ae4083663bf5cd92c0cd3276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
76a67bb01a92c830c4e03eb626329a42

SHA1
4e1915bb6f01d9b290035d0625549f774cc635a0

SHA256
bca1e835a7e288b186887932905bd64437f96a5a5d028595852d43151baae934

SHA512
1526d29187f81a9750cdfee23d046a04530f10c7f03d5f47c50f0e4c25776fc2e0b076bb3c281651d82ea28738285277a214b3bd2b787deb8bcc6f875f48c92a

Download Submit