hxxps://cdn1[.]onlineaccess1[.]com/cdn/static/q2-pendo/pendo-2[.]174[.]0[.]js

Analysis

max time kernel
66s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/09/2024, 12:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn1.onlineaccess1.com/cdn/static/q2-pendo/pendo-2.174.0.js

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703594128799705"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1084	2432	chrome.exe	78
PID 2432 wrote to memory of 1084	2432	chrome.exe	78
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4624	2432	chrome.exe	79
PID 2432 wrote to memory of 4732	2432	chrome.exe	80
PID 2432 wrote to memory of 4732	2432	chrome.exe	80
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81
PID 2432 wrote to memory of 3348	2432	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn1.onlineaccess1.com/cdn/static/q2-pendo/pendo-2.174.0.js
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4a04cc40,0x7ffd4a04cc4c,0x7ffd4a04cc58
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1812,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4508,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3680,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3692,i,1778684632798501518,13886124980209624859,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:3060

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ef65349337a222d29c8b317d69f6af8f

SHA1
54e8a4e9339f377803cc68c57eb63d41a8bd9e49

SHA256
e6caf9afda8d53eaefe6d43b55a8a5aaac03099ab2dc580fa09b423388eb0de6

SHA512
599a64eee7f9dd63159e32194d07c0583cae6cb3d4e8ae7e9a1f4085cb59006b16bfae56b9a4ed309e73293b98eb15c400f91ca5e395a2e611f0931d98098b3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
e605282eedf8bb3f7a8b6be2437588d7

SHA1
0543612902f38c7c060cbe3d7dcc3b2437572c41

SHA256
113398e564561c4242e88023c31e37f0257e40469c1995e251e5f7ba7362654e

SHA512
affb6b5307dcc57da5b454648e9870c64889456f326e7a9b546d7d04fdfb57c616e90ac468a409cd817b2e4bccab9f259d11f6b795610d6668bbfe1f29a41280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f81469ef7e012d8685b5461dc9b1ec60

SHA1
17a3b138c36a24b6046bf3c9c245bd5c011da7da

SHA256
dbc41567877efa044ab86051a8a9bb23e86b4fb66ab83662e82e497cb38f35db

SHA512
8a5f8e5bd13c961dc02166bfd7afeaadef87bf9d699bcd2b9d7dca692a45fb8de6692ad85f633130ec0cf4313e636f9abe4ecfd64b3da987616da112107d4f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2a3707b669f46a8f1425536cd9e248c

SHA1
b88bde92352e541f9bfd5854470d51a3e6a7a432

SHA256
e42354e7a42fb29041c457f47bddac03154c52f325b1da680472f4c848c83c25

SHA512
126d81fc242bd5496b5f5e86d9e9799fb99bfc9b9cdbd08e93ba2581c79425e84153f55ce0fdefb92c08ce1f907cce1e6a1f8aac8b4e22477c0abc00619809eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7fd92ea4fa675c223cc3938fbce566e0

SHA1
a95505814eb441beb2d397d890bb1010b5ac0218

SHA256
171bd8f7a50797bb0b81488935ef76cf0d9fb70e04b96806656d50dc3c53123a

SHA512
5373a012e609f972d5a0209359350b3adc4704d89b05a3baf12d14fe015bebb500506877c67e25070493282a4065919702a50913b0d1adb7104e0b8cee9baffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4816bfa5fb9ec0310c442b9f4b61ce66

SHA1
7ba9cc3c99a9908d2b06f29ed35b6b31898787b3

SHA256
5918af617afa7bee3cf8d112d41837ef5635566d52ed65e2b59a6231ae7482a9

SHA512
7a655706eadd7d90339ea087aa53d1a9e5d1c8804829685b2edeecd6117d61daade9a004c67fb4cc8db1dd8e4d717f47059ea667e185cc123eebe7e210372ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
02bcd7e8da84c1638c7c18211c395c91

SHA1
890244d2f75e2e38b19c33343b1a99f3bef14e38

SHA256
b746b36881e836c131ad2819945dd8869a768876d95615e92068134f8f7562c2

SHA512
0b1f36f21f4b04d375114e6338a6a33067d34fa12aa037dca79a129c83e1bec0a5cd12a4ededa9ff2237183530e1bc1aa74151176dc4d7b8c8e62cbd18412280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
260aa6c773aebc12261de33a6efee447

SHA1
ca70a5bcce00146a04a49cbae66a025aaa522927

SHA256
1940fb7c560c52b6f996f442ae4ba12b83dcc8ce7bd5dc0b32ef03b77d1c9700

SHA512
2232290adb383089d6fbd80e3a95d29b16e6237209380120e02d48638d304e92f1ace70ac51dfc449f18ef40f6aa3a83f12003af8893d16df0354d66aa3909e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
82db4a632b29929a63872955cfdff4e6

SHA1
568791f9b139227b092ab55eb84c5bdfd4b45ba1

SHA256
279da9d4e804f8fa8cbc19032d8c9691b35688e1759ea843af0363206210adca

SHA512
98fdfbd199856e97910081d9ed89a857e01920d5b0e2679a227ad7f3ef020c29797c43f4cd378ffb42d69566aef01f33c2e20a10863af9c30cbaf6316d3981b8

Download Submit