hxxps://form[.]123formbuilder[.]com/6694460/officeofgeneral

Analysis

max time kernel
299s
max time network
275s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://form.123formbuilder.com/6694460/officeofgeneral

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640737250173290"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

5064 chrome.exe
5064 chrome.exe
3516 chrome.exe
3516 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5064 chrome.exe
5064 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid process

5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5064 wrote to memory of 2412	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2412	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4860	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 104	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 104	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 2224	5064	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://form.123formbuilder.com/6694460/officeofgeneral
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb09dbab58,0x7ffb09dbab68,0x7ffb09dbab78
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:2
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:8
2⤵
PID:104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2100 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:1
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:1
2⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1272 --field-trial-handle=1828,i,9154372319360359228,13262038988198397964,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
cb5c298cc594447cbfb3ad30d94ee7f0

SHA1
3955f475d899af293e1f4c3aaeeb094ce05a4551

SHA256
05493ba7cdf860e31c48b1ccd3f2329ed5cfa23e156f756a58d2ad5535da0b98

SHA512
a992adf22b2ed606037263d4f5a36a95b86d0dc481d7321f24071a74209f3124086b14701a0322ee410d4c5706d5acc03972bec6c68336f2d0d2b25fd84ff3d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
ec1a08da679cd31c75b7fe153ed69c93

SHA1
c0ca7e980024eac3dec49636bbfa125eb29dde53

SHA256
2ad420a3af13ba28117a36feb9e9324094006a92a48af985a2b15478225a2ec7

SHA512
a00e8f8ad73bcc297110ff17dfdbbdf4097a3363f1cc20e6dcca480b48ab0b1bede63b6cad3cb6a937949683f0ef30c9011e1c7274f19dd8aae0ab7d619baecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
494f22d20e3dcb69cd92f9ef8cc5a94e

SHA1
38c36f5c4285afbf5cc5c8e62fc931af6720e52d

SHA256
4215402d13346dd0671ff9085419cbe526c79ab173910735b87f8e2927a28d9d

SHA512
6c39644ce7c116e3caf363a82513a2459349dc80c35b5a408efa6c558802628a4327e5814fea606763b23aefd027e8e6256062901d52de3d2d7503c836c5893a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
07fcd752631f438f89acd102328eb087

SHA1
7219f4e94d09de77b485ab20c5b06bf25276bf3c

SHA256
c127b543126ce388676a4ae32ce2c0b9c642c1c7e6d29a0f2fa85ee6b7fb0cab

SHA512
95300ace48fa3fa0892cb8e090a9a7b155a8099dac4fde519caa7a509aaa4dad66f800ba8af86a1d125029979a65dba119fe1b9af25bd88224331ec56a7fcc57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
29c22f788fd5380894d75126a73e66bb

SHA1
f5d4e57d9ac79337e593f78ab7e7eecc69a3bfb1

SHA256
605e995eaf90b1d003d46ce35355b82b5a3e103abdaa7b88742291a9a01df184

SHA512
a7ff30afcdfe462762c5cb28ea81ad8621d28c189046b860ac2f72f60437b8b89fbfee45a357f529e632d0e605289dd652bb802226b8b46dfe7fe22191e89bed

Download Submit
\??\pipe\crashpad_5064_DTICBFJOVEIQAPBR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit