hxxps://mailchi[.]mp/aaadvocacy/june-enews?e=f7bcf38012

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 06:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mailchi.mp/aaadvocacy/june-enews?e=f7bcf38012

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627330740392476"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
548	chrome.exe
548	chrome.exe
4804	chrome.exe
4804	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
548	chrome.exe
548	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 624	548	chrome.exe	81
PID 548 wrote to memory of 624	548	chrome.exe	81
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 3008	548	chrome.exe	83
PID 548 wrote to memory of 1784	548	chrome.exe	84
PID 548 wrote to memory of 1784	548	chrome.exe	84
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85
PID 548 wrote to memory of 1820	548	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mailchi.mp/aaadvocacy/june-enews?e=f7bcf38012
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ff959b1ab58,0x7ff959b1ab68,0x7ff959b1ab78
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1728,i,7110135877517322255,16639246224176531580,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
a08a840ba4f2182d8640163008c44414

SHA1
14feb1f8f3e2734e6ebadc76a67778461e087db5

SHA256
55fcc08b5af8e253a7eb03456a38c0eacf43bcddee876b815a33375056cfd4d8

SHA512
0965d036b8dabc13086a45e2b5547b3594ea5c9c52dd096e4dcd0600d56f70f44f136e9a5090fe75ebc502e41e7a097a39aed4f35250bec2b9dc22625d3027f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
11822633a25c348b40ce803a2695cbda

SHA1
bec287ae15f26b62b15d38647bc668c0a64d71b5

SHA256
6e9534413d3df0ddc985591ce70f6d9a7d1ee4f2d043613677d0a1c092ccc293

SHA512
918e3568e4d30aaed43f567dbb3737694098d5bbe908192ef94313131a2c5b8e687ffe708adffb58859e055f8f89a331c30e4e66687f2588fa03ffd4a1d9c619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
9eab1925aa58c69b017d48485fd4ddf8

SHA1
7f401ad7ac3dc8eed1683087fdc629890f219112

SHA256
f069aeebdbaec5cb675d450732ea069767b013caa31b01cd1d4152c8179d89a7

SHA512
66a8fff557a46d5a6efd9d1a7a4e2c25f9864e43afa713e209feea14a026df9c0ab7bcaadf7db2b1ca3f751090c4ab5a19937f5255e5c6d4a5d1bafdf920146f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dbf2968c83ddfa961b0963eab1cd3157

SHA1
5a95d5d9549ec7987de6d4707fc35f5a00c50f62

SHA256
0c0a4b7820cf148dd7c4d4209c4d9359d98e5273091232aa877f7102a45ce221

SHA512
a90f7b4f101594c45994419a83e1c7545974dfdc358f454af2c28154aa1d717928594531f6f20f19da4e9a4a8188f8e2a034013d9db85d4e1652dbebd813e170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
dba62cd571c4a091ca307f5260504f2d

SHA1
ca8ad35a54bb17653989261142b14c4493b86274

SHA256
6b33cfc6c379a184c98a0e556bfccadcacee9c71a848251018b4fb8be4962211

SHA512
61914fb9b6807b77b4f82374b990de844086f587ca4257fa23ea08bebeb969f4d18546e8ef0906f96be7755b70449b3afb50e0f08513ffbf8bcf7a6c60b1d4d6

Download Submit