hxxps://mcresearch2[.]co1[.]qualtrics[.]com/CP/Register[.]php?OptOut=true&RID=CGC_KnfQIoRySdobchT&LID=UR_eG2SxpjuVcI89KJ&DID=EMD_JqbZIEFG4jUCslH&CLID=CG_2wj1GcctS2yt596&BT=bWNyZXNlYXJjaHR3bw&_=1

Analysis

max time kernel
12s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mcresearch2.co1.qualtrics.com/CP/Register.php?OptOut=true&RID=CGC_KnfQIoRySdobchT&LID=UR_eG2SxpjuVcI89KJ&DID=EMD_JqbZIEFG4jUCslH&CLID=CG_2wj1GcctS2yt596&BT=bWNyZXNlYXJjaHR3bw&_=1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610806280909720"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 536	4972	chrome.exe	85
PID 4972 wrote to memory of 536	4972	chrome.exe	85
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 3988	4972	chrome.exe	86
PID 4972 wrote to memory of 4488	4972	chrome.exe	87
PID 4972 wrote to memory of 4488	4972	chrome.exe	87
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88
PID 4972 wrote to memory of 428	4972	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mcresearch2.co1.qualtrics.com/CP/Register.php?OptOut=true&RID=CGC_KnfQIoRySdobchT&LID=UR_eG2SxpjuVcI89KJ&DID=EMD_JqbZIEFG4jUCslH&CLID=CG_2wj1GcctS2yt596&BT=bWNyZXNlYXJjaHR3bw&_=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5b1bab58,0x7ffc5b1bab68,0x7ffc5b1bab78
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1904,i,2800971280471615114,14779372511152322835,131072 /prefetch:2
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1904,i,2800971280471615114,14779372511152322835,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1904,i,2800971280471615114,14779372511152322835,131072 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1904,i,2800971280471615114,14779372511152322835,131072 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1904,i,2800971280471615114,14779372511152322835,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1904,i,2800971280471615114,14779372511152322835,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1904,i,2800971280471615114,14779372511152322835,131072 /prefetch:8
  2⤵
  PID:464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2f57327fff06b981a2f87d871eaf151f

SHA1
1bf002ed8a0d7401a58f0f0cc75f48f0d8bb0754

SHA256
30983db47adfe06f51dd7ce1d8552391dbaea311074b4733abb97c3b85bf3ce6

SHA512
046a38e5e41f0a53344ccb9024e23832dfea3e6e44b05b2e177a8556500c266118aad79d6fa794ba4268356f818a49e16ff31e3efbdca48d7f1d337510d49e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
8be21c05c10f253d5d30b0a70d1ea600

SHA1
b27738184ced5f9360c1dfca21fa850b3c0b7fc4

SHA256
0ca5899c446ccf8e70cf87fc1aa5dae2ed27604e5f0d18243b90c81b5b946803

SHA512
cccbd832a0fe75f4c4a3283b71c32121ec05d30cc2a8993670e1f53832ab312b133369ccdd31cd6cd7d897bed9052e2056f4644d6e66d8946a36764f380e23ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a1dc0cdb6250625d60219ae11fcdd823

SHA1
e4194ac89f9ab85e908b948a299945776b8d3ee8

SHA256
233f7f5dd474d1c0c26c6efd45f72502b2c4ed9740a75010bff86162ec35ba72

SHA512
7ff0bdb28e2e216555a7d322db99da36bac27bf8f84d0d6ea7cc935d355ca79a430d2ac62c7c8a85a37620bf8d73d85a24f658c77b706aeaf718c1991b222088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f89a1460b4a78b3a0cc2c648b5e7b72c

SHA1
01de55e2d526411efca8ebec6bf83ff055d9b830

SHA256
a8e948a01d239c782e17a8e696787c8b28de7b1dd2ffb2601b7e6624ce803680

SHA512
6f380b0df7cb88cb82e43a9699c91403b7d2609553e8b56723a4e1dc51ad06e336a1e2b14c3f1f9ac5776a630a00c6a2da01c2d6150787d5ecfcccced5819130

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
061cd905e8bbfde9c9c4e46516ada158

SHA1
01ab440e552af6b660a78dcb5dc42bb3996e7875

SHA256
fa35173919a641841d96a0d8b4ad6417e745a0607bb88d69fc968246d5672c72

SHA512
f826a1f3aa72800fda9600432fb4f3b18914fc8e655ab9c1c2478001d421d49c932529728cda34241baea199aaea9011f0adb38abc24dfe338c246a3c09e0329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
72de7751de4bd4ffc01f7044e8159fa2

SHA1
aca2713c447328b656634f280f5ebbe5af5013e1

SHA256
5b012a63cee40c9dccd76642cbaa4fb95f1bcf5c349929ccd8e4706faeecaf8b

SHA512
205ba9be47f31f7335c1bb623479be496bcb92966a4cb0ad6dd5ef58aafd6cbcbda12914b4afd5e4029dc2184c8d19a2d6721bdd904e0ee30dbe654a35171b87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit