hxxp://qemailserver[.]com

Analysis

max time kernel
54s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://qemailserver.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133650115739133999"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2464	chrome.exe
2464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe
Token: SeShutdownPrivilege	2464	chrome.exe
Token: SeCreatePagefilePrivilege	2464	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe
2464	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4728	2464	chrome.exe	82
PID 2464 wrote to memory of 4728	2464	chrome.exe	82
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 1132	2464	chrome.exe	85
PID 2464 wrote to memory of 3512	2464	chrome.exe	86
PID 2464 wrote to memory of 3512	2464	chrome.exe	86
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87
PID 2464 wrote to memory of 864	2464	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://qemailserver.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb51b4ab58,0x7ffb51b4ab68,0x7ffb51b4ab78
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:2
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1716 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2176 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3088 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3216 --field-trial-handle=1876,i,10196406985476288944,11727928634094965793,131072 /prefetch:8
  2⤵
  PID:4000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x3d0
1⤵
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\514ae0a1-fc9c-46dc-844f-d1eb136c79bf.tmp

Filesize
6KB

MD5
07887fd5d7ca8d938822c33f8e650df7

SHA1
2c4447d61035eb7c63e3718a47223212871130c9

SHA256
6a84f0afbeebf7d399c3861480d624e499e7bc74717aace753f36b19b04c8cbe

SHA512
4d47a73da35249ac9e5762efee1375c540cc1e7378af9d92b7a8f6037d1aaab6f0a77b7b8382107a35e92bae0c5e783058fe828b6b44e213b9bba0353d477ba7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
100KB

MD5
60a93698c97e92b3005e3815df3bd4fa

SHA1
1ad80ce350a2ea0320c664bd25713c07198bcca9

SHA256
66cac147f0d835e07f1728296ab7f6600ea9d8c1464214d3169e0d1d8b311a4c

SHA512
4b02fbbd2d0682f2c0a2de4a81c8552ee737fafba0abde6ce88e35e1d0ad905c669fc899d62d06fd24248a0921c234c9c0a092bdd63addd6ba37569be34c84e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
577658aea7a9b8e144337b794eaeddb7

SHA1
387a2c341435dc8dd8530c92176ef7b84e708bc0

SHA256
fe0250c0b53ca850d5456dea750c828490cafca188c07686898fa0c9cda4c515

SHA512
abf4b550fbb823acede61410178c7634fcab1b62874efbac1be850af032a76699bebcab14b99a0a17980180d0543937f52d4cc369379fa7b908b5e59e5d239e7

Download Submit