Resubmissions

30-10-2024 18:30

241030-w5zpbazrap 5

30-10-2024 18:29

241030-w5drvazqhq 5

Analysis

  • max time kernel
    14s
  • max time network
    14s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30-10-2024 18:30

General

  • Target

    https://click.email.slackhq.com/?qs=c168ee32fd37e0988a15e02a9dc9c68d0c00596e816ead497cc46304fa371cfad69aaa735eb8c5ad7e3f5a4fc7b1194b926a78d15e97a297cce644771264830f

Malware Config

Signatures

  • Detected potential entity reuse from brand SLACK.
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://click.email.slackhq.com/?qs=c168ee32fd37e0988a15e02a9dc9c68d0c00596e816ead497cc46304fa371cfad69aaa735eb8c5ad7e3f5a4fc7b1194b926a78d15e97a297cce644771264830f
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffcd930cc40,0x7ffcd930cc4c,0x7ffcd930cc58
      2⤵
        PID:3140
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1884 /prefetch:2
        2⤵
          PID:1380
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2172 /prefetch:3
          2⤵
            PID:4588
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2452 /prefetch:8
            2⤵
              PID:336
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
              2⤵
                PID:4624
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
                2⤵
                  PID:1588
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3132 /prefetch:1
                  2⤵
                    PID:4928
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3344,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3476 /prefetch:1
                    2⤵
                      PID:2748
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4376,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4124 /prefetch:1
                      2⤵
                        PID:1132
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,17159675152494093493,13539844532387639348,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5020 /prefetch:8
                        2⤵
                          PID:5048
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:3688
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:400

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                            Filesize

                            649B

                            MD5

                            70fef86b45e0e1b949cad914eb8e0f85

                            SHA1

                            76ec180e24ff8aaa43f5699ea705cd5366ef084e

                            SHA256

                            82a3b7596fc9a9a2769758a26e302ff7831400db815f4f92658ba954d22f3de7

                            SHA512

                            b2f7324a90862521af4986ee88bf29a314760f5df457233cfb465a3738179b206d6d1de7508bcbe2f46e0da230e55610c3beb78fc67a458c6b138ab53f25d2c4

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            36236feba57d72f24e0cad6834f86bdf

                            SHA1

                            a43e94c6e46b3f4d0b50178054033f1b704f198b

                            SHA256

                            f7771d792370e9bebad380ad37e69ce7de2a3b29888bb437490bea2eeda3768e

                            SHA512

                            dcd0da4d28570d65dcffc1969cec5127f3a9a1bfb3b9e13eaeafbfd37e5c2793d97ce9c475024898a45702007cda10b61176ad3643d425141fafc1130b5a02f9

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            9KB

                            MD5

                            2384dcce9be90675ab9c3f24123cce6e

                            SHA1

                            e9d19ebc2fa21385e3e93d22c2a0a19b9b39864e

                            SHA256

                            e1e8e5d750bb192d92c9ff438d94dfd1bd83b1d2456e379ef391fbcd8eb030cd

                            SHA512

                            c6519d3337df1d2dc2dec877efb614ba2f731d64618f415794face80f0426c033e7dad926be1affe813b4bfa21f38feaf74a25a78c44ea49b551c2fe6b1fc11b

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            120KB

                            MD5

                            1ba55a08a31f8d3c4a627170a91c3b61

                            SHA1

                            d43585bced567618beb1b9a5bb7f64d7193d7352

                            SHA256

                            78754925c6d11871d3f36582c2350272604b1921d4647daf61a7f9e56317d461

                            SHA512

                            4951ffa1819209a9191d643d9a9b50d67c31657862976a3a8be572e299afefe68f88fbe4e54a9db0119ccfd81ef679b741aa090d9cfd0d80b3fece8e46d65823

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            120KB

                            MD5

                            f3f984e9c8403ce2ed774a2933f66ba5

                            SHA1

                            8d8df6751bf1d9a5d679f988c1e88e03cf9ce3ec

                            SHA256

                            e601626581676d1cf4d1e82b557f965413f2d22b5322b5110e1583534ef39fa5

                            SHA512

                            d58b9e386aba4736908540e3e39f8eb827ac9d006335b3ce4945d28b85c167d1f85e46e40ecf8768a5e21ce57f5ed2a6a659b466c09469a3be606d6815583601

                          • \??\pipe\crashpad_1700_MNSTNXJYUIHDJRJW

                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e