hxxps://npl[.]qbn[.]biz/vendor/zoom[.]html#alan[.]mak@lockton[.]com

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://npl.qbn.biz/vendor/zoom.html#[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637716489876712"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3880 chrome.exe
3880 chrome.exe
4376 chrome.exe
4376 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3880 chrome.exe
3880 chrome.exe
3880 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3880 wrote to memory of 540	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 540	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 1380	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 2584	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 2584	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe
PID 3880 wrote to memory of 560	3880	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://npl.qbn.biz/vendor/zoom.html#[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbff9eab58,0x7ffbff9eab68,0x7ffbff9eab78
2⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:2
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:8
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:8
2⤵
PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:1
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:1
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4132 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:1
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:8
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=988 --field-trial-handle=1900,i,11023674454324770476,240731020931830896,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
384B

MD5
0ea5f509bcd47474e569bd0126ca5153

SHA1
c9ac53f60a5028835462740a6d8c5b66f2fd2956

SHA256
a4896dfa5ddcb11521ef341e2b212aec6813bcb75e25a4fe4e2c802e41b87661

SHA512
7888b330b67b141f72bb8c442050248357c173b4374763a6cd0e40bc9c8cfe8a7aeee655d7266ee55634dd7f1152d706f90a79db2beb487faa7e515cb83dd64f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
02245ec50526bd47ed363b3ebca2b3a4

SHA1
94cf21fee2cb99754c2e9960095d3b2a605aadf3

SHA256
e2c63bc9d907e60400a301447d97e377c97291d65174e05a0dc369a4a843d054

SHA512
5385768d5814a0a1bcb1059fe46281656a95ce4a4e20c0b81e83161607c31ec987d935a486c85ec077373e438ff79824c07e4d2aac0a0f14a47f32b40688e31d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
4ee3a9431b5ce6c1ec5e6be47a696541

SHA1
9d4f1c0f3c0b61e371305b2ee4f93a9f397b1739

SHA256
f85c0574632932d63c28fe4197d3b4005ef2d8c39373749707f4dd208675d59c

SHA512
81ec9e027578fc02a6b851580557a38f4722cfbbc4c97f540d29b6332a1cf3eb9794ace28b75f23ba766aaa5b960417279900439cbc3f43483b73215c5fa9ae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4d8bc3b69a12af2a72450ff2f19c0241

SHA1
9d63cd579e9e4a3b5ac896d4480fd04dd6cae6e8

SHA256
c2202445f9f69c12889ea30ffc058cba2e8fe3b411bf3c3aa24c8dbbe55b7588

SHA512
654f93dbc83b8f8b031a5eeadbea345d65a3a54a0ec8bcb517db2bc779bb575f5919b32bb821ca54aaaa3d13768d4769ea3cd6ac45e66a36031b92b7ecd167de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
b7fb2555b1ddad2ef340fcf3a635825c

SHA1
8c1d090ad73aea7efa47e6d95e1082a537248a02

SHA256
447dfe607d91259c6158c3c1802cfb36a6e6e5c1882690c892fcd127dd6150c5

SHA512
817abb2137c35bd989e13d725ee33f7e8ea828aeb908a5873c3863c40195728815833f2e0c4d2754bb5958b6a9a9976c5178375b32948cdc9307fccbc013875c

Download Submit
\??\pipe\crashpad_3880_ATHBKPSIVNXINHAA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit