c7c52c4c82341556e2be4abbaecd834e01f06aa6918839b74963111a48f7106c

Analysis

max time kernel
37s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-11-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

attachment-1.html
Size

254B
MD5

164ff36a46f7143c44356eeaaf91b54d
SHA1

279b4d088d36d697ac74bac5ec3d8827c550464a
SHA256

dfbe03c7cfc32f54f6492ce61b1aad0f59cc304873dd7e51832db967adae5060
SHA512

9b4b212ed167fb670bf715081d73436e7a33e9290aa56a09bdb481e095ad2203f3460b42e52f9efb97890aa819f25781f99c4cfbcced9d23c1cb99e0975a6aa7

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
14	api.ipify.org

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768015139995080"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 5060	5032	chrome.exe	79
PID 5032 wrote to memory of 5060	5032	chrome.exe	79
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2948	5032	chrome.exe	81
PID 5032 wrote to memory of 2316	5032	chrome.exe	82
PID 5032 wrote to memory of 2316	5032	chrome.exe	82
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83
PID 5032 wrote to memory of 3752	5032	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\attachment-1.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb355bcc40,0x7ffb355bcc4c,0x7ffb355bcc58
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,8069076680360473290,12876277769796341981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,8069076680360473290,12876277769796341981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,8069076680360473290,12876277769796341981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,8069076680360473290,12876277769796341981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3044,i,8069076680360473290,12876277769796341981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4340,i,8069076680360473290,12876277769796341981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3324,i,8069076680360473290,12876277769796341981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:1056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ddac8ac1e00a1938fc0539243e67ddbd

SHA1
0b0d3b6240c09b50d04e8ff45a73f37ff306b7cd

SHA256
090b40d3689da4da0c0210b5dcbdb419d6c69f8ccff8f636bf08ab9c0921b588

SHA512
788cafb28e05de2ac29712341e03e4e8fd88951b06b7398ba0fe95cb2c57e9af2251077897438c7ac404caa67a73a7d854287b014b93617ef97ac734523f2fa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
c9aa939621fcf46a748633e2eecd914c

SHA1
fcb5b525f5958983a08c9e137ea53d09ed7160bc

SHA256
a6941202672b1dfa61e035cbc2d2655ba5a9bcfdc93130d44f5904e26a9e0ed7

SHA512
5b35520984342bc58f3135193ea88cd486a2db42844c84995f9f393089ab8f27b11675085dd2c0a5b23a19994185e7b3c61f3d47c01fb8c6df59baa528932c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\77b4d12d-1f94-4644-b06f-46b7989fbe7f.tmp

Filesize
2KB

MD5
c85da48da787fc0a16dc93e593d4f5ed

SHA1
1a83aaeda216a6815b850c9399f3286f54911ad9

SHA256
385b6acb20930a95467bceec5fc98b7d275160b4d4544e61a5500d2ee77e3647

SHA512
2c78c2ca30b93f7de725ebb08bb05d7f87478572411fd07656de10d033595137e21a7445d6931281fb5676ab1a5d8a8b413835c8cabbf5fb9d5521b2cb0eef87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
438ddfd317a479737ff55d0df6cdc8eb

SHA1
d35d55d23ad859a08aa0a430ea6fadaa114141c8

SHA256
9f7085e12a2f86e4c3d086e2c79e7e7f255a82026a94deb8832cb6e749ae994f

SHA512
c2a3608eb6a8025b853b683da6e9001b3faf86ca361bbefb05ea2d8ed34c3d2477bf6e9d8ceb7ce956e16c87e5d22a81b163ee6a9921ff5e786b6286a376ffcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d1953ff89c797aa4bc61494a5377a78

SHA1
d8742a9ada6a7dad5ed4d76ae3bc9de5ccfc77af

SHA256
f44abb5434dffa06a331cf11dd9a2b6602832b3d498cf138226776fd6b9d1eae

SHA512
5d0fa91ccdfb930c1ce5c7f9f6de5260cdf82e1a7459363f400b6d3a3688ea47aaebfd65011842eeca631d018afdecf8b950405451eee8a5c011151affded989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f27ef24d92bf55d0ce8ec1bf92288b1b

SHA1
6a7d2f35750fbf76dac52e35dbe7a7772bf25f66

SHA256
f99eb1d72bcf47e866b8770fe07684bed9a5856f5a430a297b4807b4c555af3e

SHA512
51f0383596d5a339ea2199e3c864651350e81c7569ec53c108511d4302ffeb3018901ee6c8d1001fdd3d7d3d6fc6664fcb07aae819f84ffa2e73707156f01e19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
58d5cbe42f93279ec01e795c9e7c2065

SHA1
3fd7bdca2f5bf6b90cc3df9e6a9ce3b20ce58313

SHA256
67dedff608a3a6e92aa14549f84d19870a7a9f954b7c6df292ce394e4e50e396

SHA512
bc70502b12bc64b74e0dbeece0316f2166115259340e67cd50aaabf3ebf571c5779a07bf196118b80a757c0ed1606675d259ea3eaac41dde013f4ff90fdfb945

Download Submit