hxxps://na4[.]docusign[.]net/Signing/EmailStart[.]aspx?a=92b73b30-b0dc-4773-b63a-7d7769244b60&acct=91e0c3b3-63fd-4b16-81ac-722ae220e6bf&er=8af8b73e-fc73-4052-bb2d-9d6aa97bc54c

Analysis

max time kernel
27s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://na4.docusign.net/Signing/EmailStart.aspx?a=92b73b30-b0dc-4773-b63a-7d7769244b60&acct=91e0c3b3-63fd-4b16-81ac-722ae220e6bf&er=8af8b73e-fc73-4052-bb2d-9d6aa97bc54c

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612512108908078"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe
Token: SeShutdownPrivilege	3200	chrome.exe
Token: SeCreatePagefilePrivilege	3200	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 436	3200	chrome.exe	82
PID 3200 wrote to memory of 436	3200	chrome.exe	82
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 3568	3200	chrome.exe	83
PID 3200 wrote to memory of 2996	3200	chrome.exe	84
PID 3200 wrote to memory of 2996	3200	chrome.exe	84
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85
PID 3200 wrote to memory of 844	3200	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://na4.docusign.net/Signing/EmailStart.aspx?a=92b73b30-b0dc-4773-b63a-7d7769244b60&acct=91e0c3b3-63fd-4b16-81ac-722ae220e6bf&er=8af8b73e-fc73-4052-bb2d-9d6aa97bc54c
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9238ab58,0x7ffb9238ab68,0x7ffb9238ab78
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1836,i,7247597771312146556,5137974997809135208,131072 /prefetch:2
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1836,i,7247597771312146556,5137974997809135208,131072 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1836,i,7247597771312146556,5137974997809135208,131072 /prefetch:8
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1836,i,7247597771312146556,5137974997809135208,131072 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1836,i,7247597771312146556,5137974997809135208,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 --field-trial-handle=1836,i,7247597771312146556,5137974997809135208,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4224 --field-trial-handle=1836,i,7247597771312146556,5137974997809135208,131072 /prefetch:8
  2⤵
  PID:3564

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
c551ca8a15ce1a839a3812cdbf8b4629

SHA1
913d3cc9c5f0636311e552341a28507a81e5c663

SHA256
94fa826dd602846eaf244525da930f4ca729d4b09638e95a928cdea1900d1368

SHA512
4e74699eca2ba8c96377b019e6cf52d1f249ab406857311210b205b968867466177b9de2aa417d8dce35429f0e0f1cb90eb5ea67afcd07c9e93079455ecdfe0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
49f71c3bfb2f51cb46b804a3e09f0c30

SHA1
909744e2d526a4a372da527e93c28f4c6e13cbf0

SHA256
09658720295cc9a7eee19e0fe22e6332d8980a29dd5af395f5457d73902b9787

SHA512
99d9523845d23945c83c4949761b5b058243975a86cb4dc04a6e6da2b59929acae2a9c9c1b2754924ff4432999fcf85a718261d931215142c7deae87bedad37b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
093ad099ddcac636e6c0a159e3300496

SHA1
81fdf2768b6d09ecec4011d4539c0bf76d874529

SHA256
9e015b5b94ed7a593ba55c3ffb733f77c5893407fa3923b7905f4658e1773e13

SHA512
7d5f25baa6a6ceadaade7f6bc630bbf1aab44117d4800989d5e8939af6cfe0d3da6d14b183fcaed1ca355ab38f7b3434b9681a36fb7f9eca04041c436e1dba8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
774e3ad1f4f9ef8b79adc2974e383110

SHA1
174c28d1d352cfc35b969cdc26eeb7e99d323ec5

SHA256
ed42230cf948b56024f114ceb28eb8040c1238373e7c549e2e42658534df3386

SHA512
21ceff973cf19df243f694d3f0fc5e276dc30d8b2b1c1e3f56ef3a99e826cfd41a80aaa9ad98b58463df0c8d8602fd43d6d818caf264b1c448985b4d3c2c881f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
11ecb57ea959002fd3ded4d79d8ebce6

SHA1
bca437f5f231e69b42f59488abe6fe468c04be87

SHA256
4cc494d2cd19f08d797670c1a9de23477128d2860cead81bcc6ceb8a02b7708b

SHA512
599a9f45bc013ceb479d706301b3eea4e06554d360b7bbfa990c10bad99995f30200c1cc72549697612dd37c0e8faa726f38b8f6c6d2101b8e6160ce9d061cc7

Download Submit