hxxps://www3[.]fpn-process[.]com/unsubscribe/Me0h5c0cVY763SeP89268tkVrQ/pmy2ahqFLqhFi892KBlt7yMQ/EwdvMQ5V6wvjlMKTfTi71Q

Analysis

max time kernel
32s
max time network
33s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/09/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www3.fpn-process.com/unsubscribe/Me0h5c0cVY763SeP89268tkVrQ/pmy2ahqFLqhFi892KBlt7yMQ/EwdvMQ5V6wvjlMKTfTi71Q

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700103927773272"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2136	1584	chrome.exe	80
PID 1584 wrote to memory of 2136	1584	chrome.exe	80
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 2380	1584	chrome.exe	82
PID 1584 wrote to memory of 1500	1584	chrome.exe	83
PID 1584 wrote to memory of 1500	1584	chrome.exe	83
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84
PID 1584 wrote to memory of 2836	1584	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www3.fpn-process.com/unsubscribe/Me0h5c0cVY763SeP89268tkVrQ/pmy2ahqFLqhFi892KBlt7yMQ/EwdvMQ5V6wvjlMKTfTi71Q
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa09dcc40,0x7fffa09dcc4c,0x7fffa09dcc58
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,675619552362915148,17114598833660514803,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,675619552362915148,17114598833660514803,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,675619552362915148,17114598833660514803,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,675619552362915148,17114598833660514803,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,675619552362915148,17114598833660514803,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3528,i,675619552362915148,17114598833660514803,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:1272

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3a63131d70375d7fbdc636eb34f6764

SHA1
b1f4e19be9efff3e8f45351838c291fdaa1d0698

SHA256
8e8d98287c1f488fa818320919f4946109728767a2950174c9a38c3adfe08b5a

SHA512
ca404f49cda523ff91f3427be866a728b2525d4f7ae49030d763756f435d674ccfe6dc9d408c7c90457297ed1359d233ad9da0a61c7ddb87e61c7811f7f531fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2fb9f2d7e3820a99dfe4854cf3cd4547

SHA1
69ab9faf68777267a2b1698aebeeb926fa05d7de

SHA256
137a7e5cada4d5f674e096cb17ccea5296dc0b978d123c3e769ced09b27d0cec

SHA512
90a9924ee51cae678e04629cba4e5c235dcb8bd637215befa2a0d0f692b17c4ca17f83e366b14655be4e29b075724fb27b5e8b03b9b498fe98799c0912858c73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e2340a34-6545-483b-90e0-8837ae228b16.tmp

Filesize
649B

MD5
8c546d0fffb72b8c3374a7cfccc014cc

SHA1
52d9db525c04a632afab3684ab6fafb45f988881

SHA256
749c6d43d7a498873848db2ecf515bdeda4a99933f376035b85ba5727d92f178

SHA512
33eae550799c029e4a7ba2a87b4dd616e0508cc5ac3a641ca39519e2a61419d2c78acb7114a8e2e2f6c4b1816f518f7e902b5d5c84f3a88ddc91d251fd213c5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c7424d1f26645a80b007441b7a26cbb8

SHA1
8fc7bef46894cb42ebb043b161796c07758374db

SHA256
9bfc260a4d9ce8ac2b6f7e4526b4e124341ca3c75c96cdc5c5d02eab65489862

SHA512
71aa9631bd0452dae294a94e5432398906b8fad10fdac681751bc9466c3077794f3576be8434946b8f54a0721c1869bf3152cd6976738d052f2247d6b89e0829

Download Submit