hxxps://office[.]calendulaasd[.]shop/index[.]php/campaigns/vq792yg3ldf39/track-opening/rr896r22r1534

Analysis

max time kernel
79s
max time network
63s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-09-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://office.calendulaasd.shop/index.php/campaigns/vq792yg3ldf39/track-opening/rr896r22r1534

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722013321375369"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1908	4648	chrome.exe	78
PID 4648 wrote to memory of 1908	4648	chrome.exe	78
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 2980	4648	chrome.exe	79
PID 4648 wrote to memory of 4004	4648	chrome.exe	80
PID 4648 wrote to memory of 4004	4648	chrome.exe	80
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81
PID 4648 wrote to memory of 4560	4648	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://office.calendulaasd.shop/index.php/campaigns/vq792yg3ldf39/track-opening/rr896r22r1534
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8d9bcc40,0x7fff8d9bcc4c,0x7fff8d9bcc58
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,13994069347587202799,5045910085653450067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,13994069347587202799,5045910085653450067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1980 /prefetch:3
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,13994069347587202799,5045910085653450067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,13994069347587202799,5045910085653450067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,13994069347587202799,5045910085653450067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4368,i,13994069347587202799,5045910085653450067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:2092

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e557cfca26fc3a56ea82e2f41ff45ca2

SHA1
570f37becfca96c6701fca5526f054653629a8b8

SHA256
889f649ecd520d29afa87960bea018eed9822e1abac3fb25e7d66619e0e56b5a

SHA512
72e4236976c2ab82d7e4f6fecd8d86ca98e76bb9a13ba66c1fd94d27e41525e9939b0957637ccdc93413dbf8f632c2a1385c47d309800d87568f70f58116aaa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e3d0d929a3fc3a21c6a8808bdbc095b

SHA1
f4d50aa9fe4cbe4510356aa209758a9341480d3a

SHA256
633091361e6dfd937126c8585462d68ab07ac8a41ff56939cc8fc73fcf9aaade

SHA512
cc87fc5b13d1db80812d97cbfbe2586ade9bb00b739a99fc3285c45301708d52d314b0ccead7b0b501a773d7cb37526e0efa21a23fa44330120d7e00b4de1674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be6537c34fa44a7b3e11f1d2d3a5c565

SHA1
03f7df5364974845e3227f85bbe0764dd909a9e3

SHA256
b96d1a4bedc70900a035ee9873c234d56ed933c2630ee527e88ca0c08e91e857

SHA512
4321a1247c7f185054b0848aeb0dcae6d309a50a9ecf6ab2ea26b716734522f27492af7077732d8ea261fa23e04acf533bcf4cf5989e48d9e313f701eb635c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3b60cef88f7ab5dbf6c329361d533e2

SHA1
d5d04286896ce6d2dabedc5601029b1f0afe690f

SHA256
1267396586ebcc238cf17b27c8dc6d7fdd5761dde3a826f2e7bf34e8cf434eb5

SHA512
df03e619642fa5ab46ef1ebfa7c8386d6fddb767ff4a102ec62b8cc0bdece0f73ba920d3259727e528dc5f8cca4b6ffa4d50a5ea5e26557db0ef6b75caa53c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14c1e9a223f9300228b51352f643f9ba

SHA1
718701bd735a42f2d3fcfd468aebd903620e7a3e

SHA256
16a874d3a1a5e9696ab4c87d89536b74a823879f60cded5304ac83ee750aa2fc

SHA512
137aa83f708f4103dd6f19da6d1a555671c82c801ecbc7a327e84e6809e0dd885d482dadc4ed3ef4c33d9cb721d682fc299a61badbc8e8fcf059d686780e430b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f4c9ccc99e6bb82f8a599751c683ff4

SHA1
4fbd41c444dd96714cb4373759f2b15d3fccc26f

SHA256
3f5e32fb3928ac4782aa4e4a3f99c2ce11b07e3bee75e972d5dce326a76a7ddb

SHA512
2c36516c510bdf29783ab88cfb1c785144366d862bba4ec371e1235bafc931ce6f58575cef7c44056400d340bfdb77c0fb81dc4a7cebe20064a76d5b6d2c8faf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
731ecdcf8e703983838feb0dea44003a

SHA1
3afb403776a0518addcf4b24c13e06fa6c1e6667

SHA256
f4e92c96922f2bc0cd534f6702b35be7f1d1aef4d0014c620dcbbc1b8325278f

SHA512
94bf474ea2a7974abc0cc57f7fa9c4b753873dbb017f20a710980679b66110efd2920f6266ae94570954733dd9d7fc64ed91993e2d43526d168fbd9bee1b8b5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
58bdcdd5c10dbe536c78ad57d9eedb93

SHA1
6b0aa6455213993ebec5ea8ed7ffe9c9a5745a6d

SHA256
45758c478695801897516b93192c855338e453967e845101a1df336479817252

SHA512
cc548e072d933bf2300ba916c62d0e8869a3bfb643fc1a0dc31ca8bdcaba36ba6d36bd59a4a854029797dff046ecd40201872c6bafa37e037b7755aa2f588d47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
8e51c1012cca5eb0f2965d69debe81f3

SHA1
86cbca7a4df7a13352e5680d6c8727b36bb8ae77

SHA256
962ddfa073130f00b5b05280003867e2edbed6f6b21e014d5bb8cb5829f869f2

SHA512
fa4493a10c16536f34c88de14f72b14aeed14b8a450514ffe1188214e6886c32801fe5cfb24872f3cb27ae3e775c5a8ebdd6e661b4f15e34ab3b50d6a62e92f9

Download Submit