hxxp://secure-web[.]cisco[.]com

Analysis

max time kernel
149s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://secure-web.cisco.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653398389083962"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
2668	chrome.exe
2668	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4452	4444	chrome.exe	73
PID 4444 wrote to memory of 4452	4444	chrome.exe	73
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4400	4444	chrome.exe	75
PID 4444 wrote to memory of 4100	4444	chrome.exe	76
PID 4444 wrote to memory of 4100	4444	chrome.exe	76
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77
PID 4444 wrote to memory of 308	4444	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://secure-web.cisco.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffab0239758,0x7ffab0239768,0x7ffab0239778
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:8
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2660 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2668 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4576 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:1
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 --field-trial-handle=1852,i,11342726159419311739,14805972677577774524,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
780d5d43bc5bd86df196ad4d567619bd

SHA1
f906520d1c15c9ef375abecb7ad181f3bde37de0

SHA256
f94900abbc5a72d3c0b19b7734c01bb115271f4d52968760e61f0ca0217f4c0a

SHA512
9a5337762b0778810f95649f22dc6cf86e9f0511759bd8ccbd8987e943a4afb7ce77bde4a61b0501d86e45223c4cebd9f0630ed9cdd172aaf557814e7e220fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cbd290451990856e08545086556e4eea

SHA1
21ee3b0d542962614105f8862f8768cbe45132ca

SHA256
da230874a8a327bf113fb299b881af2c84d6a888c130d7819acf40c205a1e2ac

SHA512
4cc88fa0972699c982d78bae0365bb8bc87e856e049638c6e5b7974f42a09faeabc607d3c38190fce3f384f5e3f4f6e60c68f8c0e2ff17172c2bf14f501e0240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
da4a5ae8aa3c70174b7e2b615bd8b5c9

SHA1
96b12596d9a75d1db1f82728a7211cab0e385d41

SHA256
d8e55781018bc6a71031d91de09c317e7f290a7adf6067df9259927cfc8cec6b

SHA512
b05f7a05efbecd351dbbcb95349c15a81eedfd3f6f21138efa1f4b01c173d287efd8795fd84cc03b31f398ca571b0d1f075fb1f601b62801dde79cfb23772b8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
85ae90a818ebe87e0164f14bf41dc198

SHA1
64a6054595254ce2ee03908d59e064daf4e33264

SHA256
afd90fca98a3ad7cac47fa8baa171be81e837ba616a3571f5f23e678b84227e4

SHA512
31c41df0446a846e9a82d0e27507a7e1445a566e11efeb12b041f9f05f8ff8eee1ddc3c8b06c52fe6e60cb64675d7eca1a10530289cf66f3c25697e724e031e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7cc9eebc0915fee055e552ff4be13ae5

SHA1
c852ebd15263a393eb5bcd50ba90c28760c59b18

SHA256
2d32ba76f335cd5f808c1719ee4bb76b0ba4eb17dca1369ce680ca5137169dc6

SHA512
26d3374e5c0dc8893de6c43cfbbd94bc60c69491679a3dabbb017b337827882a44943cc347d49d4ab40d2a0ca064afe0bb7124f045f33020899b4d0adc2827fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d3d00799ff940420bcd6c14c58c5049

SHA1
4288626c748a9e3476a35c0eb8e12c792cfbb638

SHA256
3cd47adfb42737e97d4d2f05a5fc39232c9e0aa28cb47459a90a89e5144f2610

SHA512
a176a2451fb9eb42dd4f6d691619cbeccc07b4cecb0f25b526710fa3d68105680fd9e2442fa9ef4427dc54dc6ac6e62bad27cbae731233a04b4c5397763017a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
afb7a1b6099e3a33788c4adbf2f3a6fe

SHA1
80cb7097fb5afc48a0289f65b23dd78698ae35d2

SHA256
111615e4fe96348d505f194bb6284663b76a04b1fcb811d2d93109ca278de897

SHA512
f957893f5f42e90583305cd458bd422b2139a02256d6cafe3b4cbf6244d9ca5ac3d0314b216e8b16025cf46af791254e5b54ade081e46a1aae8a9acb5b25211b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
caf10fede03f38f524555f975eecd0e8

SHA1
d62538df17a9d319e2fae81674e147f9808e0d94

SHA256
b9f1046ff9ee4f119650c7db6ea16cacf19da6f51623bd5ebf2be110378c5aca

SHA512
223d713c90798ad3176c9a6ef3ed935a2693318adffc4c99d23d1daa7927e29627a35fd341a2d363ecb5bda1a8eb86f0a7c65ba6d851c5f0fc7c70fad98b8594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit