hxxps://neowrk[.]zendesk[.]com/verification/email/FjFBJkFnKFKMJpuEiPhbuQKvCIzOMfBP

Analysis

max time kernel
299s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://neowrk.zendesk.com/verification/email/FjFBJkFnKFKMJpuEiPhbuQKvCIzOMfBP

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612617361150714"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 5052	4872	chrome.exe	81
PID 4872 wrote to memory of 5052	4872	chrome.exe	81
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 4548	4872	chrome.exe	83
PID 4872 wrote to memory of 2024	4872	chrome.exe	84
PID 4872 wrote to memory of 2024	4872	chrome.exe	84
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85
PID 4872 wrote to memory of 3452	4872	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://neowrk.zendesk.com/verification/email/FjFBJkFnKFKMJpuEiPhbuQKvCIzOMfBP
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6011ab58,0x7ffa6011ab68,0x7ffa6011ab78
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:2
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2572 --field-trial-handle=1896,i,7134755677906759670,14522357145156610600,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
24d0a7a72c1634c01d1440ff43c7bae7

SHA1
996b98d1c2e345d1a7ed01be43493b453130e5bb

SHA256
fc8385d174076d7bda5af2350a932f9e8368ca1dcf81f05be0ad3be5074c5c91

SHA512
f94261fbba6c0a8f6c21f840583c8e3949c7c31ecb7e1f3890ad110e7b3c8e80b463e5b403536e37d096ca5cdacc5ff16188208fbc43d264e096446b662756d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d8efeb1e1c2d111b2dcb47fd83ceaa5

SHA1
9eef390c0838760679770ea2c86435d48914beda

SHA256
3cff5e4df7874310280aaf8338970a6085a401ec7bec67592e4f757439b4b27e

SHA512
b3cbd7b081a150f1f16ae17942831345a348a972ab1ff70a72049cc73b2cb43936a86f66d1409b7fe59b341013935b645cb3db478942b2ad6aac4b544eb63fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
f528f74d84dbab18a507154672ec0d73

SHA1
9dccd3dffe8b2b3166ec04f7fa0690eb80219d13

SHA256
d2cd274cbdabe1efe7a4286d622940e0dbbf76b306d0000a576416e9ce1a5c73

SHA512
dc51bd03c0aa470c9a53299d9ceda732644c48fb1e0073e01c410fbacef2cfa7abc5e575ed0c0331deb67619eea33a889725a1adee06e80daff4f1fc45f378ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
882a7ce3d60e147654630b248a1e0661

SHA1
fd7b59c341c3c3c21095f49fac47e353345bcb05

SHA256
95ffbbe9613683f34382ac56be196d509ef335a93774cc8a3029bb3aa321e463

SHA512
3ca7d4b4fa969c9d9c9b348a43aa5575f441a9fc193456cc0a73e387fcca15471fa12cfce036fa1546f52eb08fdf43596b067e60df56f6b5f0f92387393fbe99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
02889348e525157edda7460511385f30

SHA1
8ae8f7268e59505a5292c47a7718141045b3cc8c

SHA256
1463625b9a2227ea6d1a9bd40e872a07353fef0b182ae73d9164716bd2ab32c2

SHA512
0c8ab063596c35e7ff14fac63785a1b4c7b79481768dcb9a032180beeb9af387fd65b699fadc2f6d0a613c2581cd6f2807c3b50346e1d235b2c2dbd8f8e33387

Download Submit