hxxps://apps[.]mypurecloud[.]com/directory

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 01:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://apps.mypurecloud.com/directory

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640116453366328"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{EA32D432-7D4B-4100-BAE1-FCF316CE1A0B}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
3344	chrome.exe
3344	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe
Token: SeShutdownPrivilege	1648	chrome.exe
Token: SeCreatePagefilePrivilege	1648	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe
1648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 4424	1648	chrome.exe	81
PID 1648 wrote to memory of 4424	1648	chrome.exe	81
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 1208	1648	chrome.exe	82
PID 1648 wrote to memory of 4332	1648	chrome.exe	83
PID 1648 wrote to memory of 4332	1648	chrome.exe	83
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84
PID 1648 wrote to memory of 4472	1648	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://apps.mypurecloud.com/directory
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810c3ab58,0x7ff810c3ab68,0x7ff810c3ab78
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:2
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4244 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1872,i,16716118060871776056,4681664779868428562,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
33KB

MD5
c422b47e20d172d825034b3dffdf728d

SHA1
615a9c486cb2892a07dc81fa523557d7e84078aa

SHA256
7485eb4276e1c9f541c9a57c2155e5ccb4f0883f22cd6d9c1191938e5658276c

SHA512
43d56d649954f27f4f64bac1d5eb8a210f0eaf81cf2dd19b8cbfd71fdc2b99922b4d65b646fe29e61c020eb15848a2728b71e04922c210c6529c35c29921ee14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
4bfd66b39747f133e38d9d8e60f970d7

SHA1
04cac154bb89e1ed02cc1e6b9850744bf3239f21

SHA256
16439fa0bf28fc532eee94ba870f3edad9a67521fa84f2901b5e072ec7e307fc

SHA512
f7b6c5a6c934f34aeb3af41a517ed5bbf7f4f66d0cf340d45912c599df9dd12bfe81a9cb0192c2edc90cc3085216b3b99b58de0156ba5038a70e72c306f0b5a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
600f37387a58d12f1f4fbda400e93460

SHA1
3370c7231e6d2c79d97622d165d83f48b0e5c81b

SHA256
bb50086a57a1a90d8b7a6e6b69f5f50c4d29de18255761cd87a8b5b5f93dde91

SHA512
e01b9ed191fc258b32a1d1afc8c38e8b7abaaac2204b43debf2ed5d6983e7eafc332c36ae8c406592543367819b9cb7e7bdb959c0d4be0dc63b738398c5410ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
f387eabcc042e00f3fdd41e4c2b0a71d

SHA1
9ed1ad74ed59a06bf635a5091522e10edb648408

SHA256
d8cdb032d210040716a0422148997bf15cc7fbefe55e0efecb81bf9ce21c5f1b

SHA512
6f8e9ae3425f8d694607c9450455d7ab2bb8b818ca1e247d914a9b3174771901c7b8cc09215c2cf1b3a16983af6ac79f09f009e0b10a26a825a4e7ee10eebc31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0e2c84e6a12c1fba7b04fce22a104b8a

SHA1
2c7822f60c99c4a3b18a53eee989bb594076ca5e

SHA256
7a3e0ddecde6b475aae07f15abd68ebf4bf001ce8dbf8ca0465b6c357f6191f2

SHA512
ddc971299066f1485c7732bb37c7dad55fe9d62ca6221a8f9c095cd276fe9efd095cd322935d2e4b90eb39792cdc22288de57626e628ee14b95f452ef293e717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
7e6cdac4c61f37f146da735f87cc6732

SHA1
645ba5cc44db4304a1159ca734a46aed51954d47

SHA256
188765ff34e3ffd763521604dd67e5535ac58bd90b2cbef9dd689e823dec99fe

SHA512
65df886431d1280b828a985aeb2ebd5b32283f129423047b1a3ed6947e426a3e1b10002db255e7a93c0a922a2cbdf79e3bce2d7fc015bdc4d7ae6d869f5f429f

Download Submit