hxxps://npl[.]qbn[.]biz/vendor/zoom[.]html#vivi[.]kwok@lockton[.]com

General

Target

https://npl.qbn.biz/vendor/zoom.html#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637714921619153"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3704 chrome.exe
3704 chrome.exe
4300 chrome.exe
4300 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3704 chrome.exe
3704 chrome.exe
3704 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3704 wrote to memory of 5068	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 5068	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1796	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1696	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1696	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe
PID 3704 wrote to memory of 1876	3704	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://npl.qbn.biz/vendor/zoom.html#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff928ecab58,0x7ff928ecab68,0x7ff928ecab78
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:2
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:8
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:8
2⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:1
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:1
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:1
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:8
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:8
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=988 --field-trial-handle=1932,i,9794374731422899873,1271552069827075674,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
384B

MD5
6d0aa2af233b9a97865a434300519ff9

SHA1
bd2450e78b565cf6e6ed99e867673242b9a86ae0

SHA256
959943adf85da3509e58975009cab23e547724b44b24e6239a6d44a75cbe585a

SHA512
f62cc6d590483d497c0c16f4252b695448bea95aeda9ae1f9fc719fc7e5b42ff37df68c6cd9683010a9a2b3d4593d1764a2107d02eecfb01dae58917664f66d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
8869856f45b3ce6468a3dff3951ecdd2

SHA1
18e45c7462f4936d6877820d8cd1cd0aba397861

SHA256
0b1c0bd9d1b3a9be30298db6da1052623f1c3dff71de7cc8589ffc6632d72193

SHA512
2b380a39f2b4ffa4d94e9c379a3c3c6381e8de08f65fb9c13cdf17c209aca1a00046f6af5672ee68eebca5afacf591c2c931f1bcac693086f158885dbbfe80f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
6c527e9cb61a3f3d14d94d54a029ad85

SHA1
97d1035ffcb959a6281f1151c30289b73e29c215

SHA256
8a9357bc1cf91c4dc1bac8719a82e8061714de5cf7eea105d842c89b8e1cc27c

SHA512
bc0de8a5b81e551a1b1fdb7ef352931c2650e20759d7b6951a4b8d0f822e00a82d7484e674ed97110c66539b6d2537a86b1fe3471aaf58b3adee43ca1145b9ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f962f4f66898636abf4d771bd2348530

SHA1
cac35e590b2d97b1a50c652959687e821433afd2

SHA256
cf15d12acb72d8341d81d78b74d7624b876992b5e40a92dddab333b1ab29a8fc

SHA512
49125db13262120b36c5f32b1e83e9add3deb7b20b30c1fd169cb07a22fd4938defdbf9b161862f2da56cd46c6bc57754d0a1b8bcd6c64932f5836d9a1e611db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ea10de14f208b0cc7155526455302da7

SHA1
e2606603eb6f7c8d51efdd5107234edc77966d82

SHA256
f8546ef365f55416d472514f91a706e6a6572d11ab8e6777d6b08496ab1afddd

SHA512
0578fd8128acdce4dce6dd67e502e20eb435012721240bc50e1767f508b05daa4200f901ce5acdb9848da0c16dfc788a87bd57fc780a63432975d266a59ef028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
cb275d3ca1059d1ece3f7bd119489a82

SHA1
e03abb0507a6504b2ca986b5254f020ab98dedd0

SHA256
de387fcfb19e2df78e40bdf9bf88caa0a16e9bcbe2d63d6adb6f25d4b20609e9

SHA512
08da94b16e1ea114b749d6d34ad872e5f7938ede44b525a5c6d2c6dd5bc589e460b726d337d1c13a9ab9cf94050b4872aaba3fe58b62a73c2a7deeab38e4ac88

Download Submit
\??\pipe\crashpad_3704_MPAGFNFDSMZOJHLM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads