hxxps://au[.]docusign[.]net/Signing/EmailStart[.]aspx?a=ce36509f-4a6e-4eb0-88a1-45cd4e7ea9c9&acct=897dd801-883a-44d4-a3ce-db18e76a316a&er=bd7adf9d-74e3-4d4e-bf4b-da9032e67c8e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://au.docusign.net/Signing/EmailStart.aspx?a=ce36509f-4a6e-4eb0-88a1-45cd4e7ea9c9&acct=897dd801-883a-44d4-a3ce-db18e76a316a&er=bd7adf9d-74e3-4d4e-bf4b-da9032e67c8e

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620032099170332"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2928	chrome.exe
2928	chrome.exe
3676	chrome.exe
3676	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2928	chrome.exe
2928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4084	2928	chrome.exe	83
PID 2928 wrote to memory of 4084	2928	chrome.exe	83
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 1492	2928	chrome.exe	85
PID 2928 wrote to memory of 2148	2928	chrome.exe	86
PID 2928 wrote to memory of 2148	2928	chrome.exe	86
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87
PID 2928 wrote to memory of 1044	2928	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://au.docusign.net/Signing/EmailStart.aspx?a=ce36509f-4a6e-4eb0-88a1-45cd4e7ea9c9&acct=897dd801-883a-44d4-a3ce-db18e76a316a&er=bd7adf9d-74e3-4d4e-bf4b-da9032e67c8e
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8756ab58,0x7ffe8756ab68,0x7ffe8756ab78
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:2
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:8
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2696 --field-trial-handle=1864,i,17702685332885963075,7090172367406475216,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
7d8c72963bc74514c07a7cc118866bbb

SHA1
e76762495c57685a206f99c2593da2f2f2be1747

SHA256
12502d2e6612ca2101d2cd13f771a4b118386f3ee1eacecbe2641a02a7efbcec

SHA512
2e5b6742590ab17bcc223f8d48deafb1fe27c217e3f7faba7d6991462b21872d792b1a0a7c43e6804dc45bc4be397b92b26200a21572de139b78db7f11341553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ab56edf547ca3e3a494bf25481eaae72

SHA1
4b28492fd87389b383be66716df6db6b982f0c35

SHA256
bc828f2adaef5a1802e53fa2c1b280f003121034a9677c3303632be7433f36b5

SHA512
614d901652d526664635e44bb8b8404ebfb960bf9620eb4cdba81167e7f63814d4c4743581101ad1f2da10958d75e4348af1088e91b40d642db10be0a023e925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
24a80a8c7307440153a1c6c7562ddf40

SHA1
ad10999de487aef14d9e66dee9b590b75e1587e0

SHA256
eec4a9b84dced03853adc45a57fd7b6c00addc989474f9c8efd40f13fa3def94

SHA512
015dfb4022f7ce2b76aa41f7da676e20557bb9b0c3e2935064432ccebcf04f16948efe79ae63eae5d077948884ccac87648d7152c030f2059650571aa160bb42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
8d8f1894c87145fcdcf1db20962282d2

SHA1
ae3769d3e4adb87afc30f051fa412f3985909678

SHA256
b36dd9dd9d1493a85e97e05ea4f6883d819a4df914b3e5655b4f35177dd7fc7c

SHA512
e98f88e7a193f81b44162d029f4505494a0b6c72cf095a8194215d42dfc5d1886d055876414cece7cc34e92dca3dd339375cfb8506d0ae65ba09001fd06bebf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a0bfd79501b0103fae1bef4fdda98e25

SHA1
d11a3f88df0d81677aae3dda9ebff4f3a730d32e

SHA256
ca0ff9f5b5b26c0156d7b46e0f6dfb9f70afbcce161d423036184ed848828fc3

SHA512
fe8fd5c0751cf2c6fc40c7e6d96cf537d5b206a3a33ae939b18c1a188b11c161579f08ac6f007127ee81d61443ae09e8138846d0bf0d2f6914d5bb092d4f9cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fa490b1b-f56c-49b6-85da-bfd2888ac03a.tmp

Filesize
130KB

MD5
93ee768612004f6cc845df6bba738904

SHA1
8b47776a6c2faafc8ef5ad6a00cc4a62e0dfbe09

SHA256
9616e58fc8fb4c59422dd52ed1b2fd48fcc5c84eb64b232d1e7509ed43b0e3ec

SHA512
a4917692f40ea1e22aac5544e9dba268871c1a8258b8e8c2e7494733a2f5c0d70f4b5ffb991d3003262a7287f67017e0b9bf5deee13510dc73fa2fd8eed65dd0

Download Submit