hxxps://aka[.]ms/o0ukef

General

Target

https://aka.ms/o0ukef

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622184687351851"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2804 chrome.exe
2804 chrome.exe
1508 chrome.exe
1508 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2804 chrome.exe
2804 chrome.exe
2804 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2804 wrote to memory of 3064	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 3064	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2192	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2820	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 2820	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe
PID 2804 wrote to memory of 4564	2804	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://aka.ms/o0ukef
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8d6259758,0x7ff8d6259768,0x7ff8d6259778
2⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:2
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:8
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:1
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:1
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3760 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:1
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:8
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:8
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3748 --field-trial-handle=1828,i,4493472554291556081,3533526859994681986,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\511af7da-301e-47dd-b4a2-aad6f556d695.tmp
Filesize
874B

MD5
34d37ff057a33b79bf327e198d91b1d8

SHA1
39699a65a12703d207cee4d031e01fb4532bd945

SHA256
f8ce99d7cf61c05694bf5d69c4a257acc25e9827467b8615982efc77dfd059d8

SHA512
a1f390acbe59d601f2145f257f6911ee567ed13964ad0ceab440be62edb93c69e77a2998d9c92400d976ce06022d3fd16f97e26874fa7d6b063c57e6f0c3e6b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
914B

MD5
8fa29193ca9bc210f4143db0374200a1

SHA1
7664e8cdbe0c3a5748ae1487ac3e5ce43e62f13a

SHA256
f21984ab84bc409d4423a0a7f7c669899dec958576932917c14dce67220415cc

SHA512
15f8c488d8ba4827d5a111fb8b89936b8376f62a2d68ffff8ebcb2774d217f85555d53b622d4df467020eb7104c74990372312806e0d90e3d61945d2e1d37c22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a8555329d4c7f0abfd046e6934d00d30

SHA1
50bd9a68fc3cc0f9a7093f404a538dd925ac024d

SHA256
33be560b9c368ea348887ce0305cd0d9bfb0132b01525c7766c9f82211c0086b

SHA512
30c2376ee221d1457d7dbcee4cf9413292996dfe7ba4c7c9f880793cd9ede3399c7d0a8ad83431c81c50a88bb8a6bdb9cc04215724c499be0e852bad93256e83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3c0e901f7af50447d7baec5d760a0a3f

SHA1
5b4356f7867ea668107d8ae829d3ecb89fc1a2c7

SHA256
46f2949eaa4816f0f872911e06f2191f79d0a1a5b21c2dbbef104e1dc473d815

SHA512
3f33d20f7e95d68908eed160f55d17d138a2ee90a908629d36bc7d76af9142820ce686cf17169250e1fcbc31eeffee5258717b8a37a4f571173be54a4a0a3911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8a2ccda231d3ac3cdf18a95db3d51a8c

SHA1
a8c8e8ee2d928cbab29e191ac1fceba8059b4db1

SHA256
2825919ec3119c8d67ef1b0e328fd4b136db625ce6c5ebeef142f13299147556

SHA512
c4585401f636509e56c74c9fbf1b13884ef6d10168d731c2585c4775189d8663810fe802dbaa2d7ff19e84ed04927ad32af15aba45d26ea18ccdbf57767255b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
5fb4b504ab6b78d915263d090109ee23

SHA1
862a1061faec690ccf3d5ea658eb1abbf387c543

SHA256
95ba2031ee7e044bf81f1401b45ca2e968ff837bc4357dcd5cb28c0453bad5ac

SHA512
a90120a7f32f97ffd9139d79674f16f474d492768c452e9c3879f8d7331584656d01353e8c576ff9dd3b434d10961ce171b592e18f066eb167ca6fafbb7d2515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2804_GQYDHLNIWVNCSOBZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads