hxxps://fciconstructors-my[.]sharepoint[.]com/[:]b[:]/g/personal/lmallory_fciol_com/EdZUJfQ7Lr1BjT3N5GiEK0gBG7xQMgMkF7MeKGEgx3u1SQ?e=4%3ax8BJBK&at=9

Analysis

max time kernel
299s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fciconstructors-my.sharepoint.com/:b:/g/personal/lmallory_fciol_com/EdZUJfQ7Lr1BjT3N5GiEK0gBG7xQMgMkF7MeKGEgx3u1SQ?e=4%3ax8BJBK&at=9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649241143802790"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4472	3508	chrome.exe	82
PID 3508 wrote to memory of 4472	3508	chrome.exe	82
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2644	3508	chrome.exe	85
PID 3508 wrote to memory of 2164	3508	chrome.exe	86
PID 3508 wrote to memory of 2164	3508	chrome.exe	86
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87
PID 3508 wrote to memory of 956	3508	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://fciconstructors-my.sharepoint.com/:b:/g/personal/lmallory_fciol_com/EdZUJfQ7Lr1BjT3N5GiEK0gBG7xQMgMkF7MeKGEgx3u1SQ?e=4%3ax8BJBK&at=9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2938ab58,0x7fff2938ab68,0x7fff2938ab78
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:2
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4368 --field-trial-handle=1856,i,9494600886057505021,7189257732906043423,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
4ea5e42e1f8e220e4f753f6047055f14

SHA1
aaa82e2f69c599523f9d6509e708362f06d1d424

SHA256
af16461abe2bd6b69fbdd73e1a6af7820ac48e1a4bccc04b762e0fa2d53b0f80

SHA512
760eb3209393a69969099cdd39cbad7920c842803b82ce793387813c17d11c96bb93bfb360c91dd8467cd8aeff02d42ca71a7e5561a1054be579a0713cdef891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ac4a92b1b1d9016e71c9ff8befa2dadd

SHA1
2ceb6ae656ea954287d042671e75aca2252b1176

SHA256
8f953d8bbaf0d91c3fc0a7eb72a0486f64ef1efce1566025a0892016c44aea52

SHA512
5b1e81b8880cee778287a46a3c892781fa3d3d4bb5439129fc2510bcbabe8123bbac6339b94d41e04e70f752b268a4b91a861a2644e83de35a846e071d74d366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
bacd295c32a6b30cf03fd8599082dd9f

SHA1
d7db45e81cba74bef3536fc6971cba4b64f37ae3

SHA256
df0a2b3159a00577364a92a372ec9789feb1e167470e7aa857540e75b41f1c61

SHA512
c2d90131b5ab4975e7f545bd8d9280add6297a5ca9947b4553f4d3cfd5f9cc0e78c64326877e63573b7d1312ab559cac53d755bf5a2d48f1ecb31fc6995a1b70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
73421f52820f462a40c0b8e383ac1dfd

SHA1
d2bf7eca4ba3b80d8cd1913a114356546a28dab6

SHA256
f8288fdee5db5af083947b8a83bce9672be8654638bcc409c61f699a7f1d4bd4

SHA512
36b46945567a702844d7975d07be1fec1c3e8dfd1ca9dae847d5047b19f5dcfe639fbe079429c1ceec080240e51f5bcd5cdda93397eb0af7b75b26ea5c80a902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7bf8e60f1cca605d7c6d5d28c433eaf4

SHA1
e89505754020a8d6d787d7647de840137815bce3

SHA256
d662627ec35b9a1f600af5cbeb81c486aa5377e1ca36a2975aba8035004b2b4a

SHA512
31b073238dff3f5658b868edf8d01468f03100a534db83983fb696e8189318eabfd02c174ebb8428d566ad7afbf43e9047a05438a14207421bddd1b52a26e5ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bfab4d577c087b347528b48e4fb753f0

SHA1
074b38a31aed6ac16afa5b49153023e43282f5a7

SHA256
8c40a8be9b34c883bb38b57b10fc8d1e1da66aa9d21a14e305048128513223a1

SHA512
fc3a60512c27b80a317664625ff66974e14a06ee5f4e993202acdcd7b788a3180214ca291524c3bfebd9ddb6eebbe129c4407a23c79b62f0597c6aa2f0007857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
4c6956e15151e4e565dd79ab0330f8a1

SHA1
6dd45562b4a71ef4c3a8dace1ead42c6a843c18d

SHA256
8bf816cc4726fbf85e397299468547dd9fcf1cf8015772bb7fb56e97c96fe670

SHA512
f44b8f0ac735bd5639a161175e145a26fc21ac9f2084e5963b4e32e1465fb43eb30b91ed6e54399428231123fa62bb0329709ecf1b497fb191e9c6ef77769ba7

Download Submit