hxxps://na1[.]nice-incontact[.]com/login/#/updateEmail?userName=tljackson@evolent[.]com&token=8ef9c75a88a54a75a5d2b14a3b64a0d9

General

Target

https://na1.nice-incontact.com/login/#/[email protected]&token=8ef9c75a88a54a75a5d2b14a3b64a0d9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

720 chrome.exe
720 chrome.exe
4500 chrome.exe
4500 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

720 chrome.exe
720 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe
Token: SeShutdownPrivilege	720	chrome.exe
Token: SeCreatePagefilePrivilege	720	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe
720	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 720 wrote to memory of 2364	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2364	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 2312	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 208	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 208	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe
PID 720 wrote to memory of 1892	720	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://na1.nice-incontact.com/login/#/[email protected]&token=8ef9c75a88a54a75a5d2b14a3b64a0d9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa38cab58,0x7ffaa38cab68,0x7ffaa38cab78
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:2
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:8
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:1
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:8
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:8
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1892,i,12470580294840929326,13990381924713223685,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
08f89c10236323638de48615a39e0e1b

SHA1
990eecbdd1679b5d04aa15f5c9dfc60a1a2e1707

SHA256
9a22e08cfef96da6adcc8329cc9d69ac2bc16ad52856cbc5db533b2cacfd9fbb

SHA512
6b7afa569c15b1796f314c590522da4e2c1a53bf64470bad7da05aeee61c532d046d66aeb3b9bd8069469df120778f50114a92ddacf0a22bc37d2585a1ea8dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
5f2eefa1d0cd456f154865c7eb6883de

SHA1
f87e844c4ef8eb54b0302e4b6f9e12b6c1bf78db

SHA256
b2bbfb32bcb32cd0652851012955a749ae8b1f77585c0e520876f39b3ea3e0f6

SHA512
8cbdb6d757455ac600c300e5f1c2044bdf7920f163ab9589fbe0d2d04ff155aad1fc570acdddcd4edd6602e3603736115db08c30625bb9b691db76c30341e11a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9e4c2aac636b3ba6ed774899a2a8e617

SHA1
873670a29d754bbdba4e0fa113e920174d48cf4e

SHA256
f4eb4df4730230e634d4c5637250943b96492b5dd5734ebb192d7c672a733fd0

SHA512
6fbbfb635590e09c1cdee8cba7f9be05e1ee7ba961a28225ce31ac56c0a23a6abbe4fb5f2654caaa8c0cf452b334e113220b71ac6478616ce091303e4a8ab4a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
4424da60b77d53831b0c50bfb304b548

SHA1
ca2fa99bd1a2af4571567301b5cae5841791dca4

SHA256
f6a943df648832ae95edd9de9fd7e3509edee0f1852e3e57a5f125d54691b847

SHA512
05e9eaeef3dc45d35234918fff6a1d2208b65c7ad60edcdccd138e899ea5ec3c91726840afa95392acd6b8ef6f58ac6b3e685ef24472f1c68765e4cb43cb57ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c7f8ecac0b86af52002ad5d6097eb696

SHA1
71389f306b04dff9eb062db686bbd0fa3f65b792

SHA256
96ecbbc4f21dde79cd2839e380a48e7b830098ff960687ef7aa50a9460137c82

SHA512
92f8151acac3a379f71eb046d7a4371b052aeb234f8879de186d6c4694ef1dd00caa450b18dddc5216b24c8f8dd09e05633df34455156804759975d6ee9539ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
b5860316835bb31732646774a6cfda1b

SHA1
692c2e054e7c1fdcc4c0173e5cb95398ed33f7e5

SHA256
9e4e14161cc34ac30e0d2ef29609bb8b1c41a89a016dcff166a4e2e9dbe7841e

SHA512
7163141b5cbd2ec0e8dffc524732a3d2c787f565a0d23bb0b32bcc81f5ee33e891450bddf6b9618c7c5f9bcae4bbcc598e0607821cb3977a7270695201ae933e

Download Submit
\??\pipe\crashpad_720_ZYZMGFOVYDFIFRES
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads