hxxps://google[.]com

max time kernel
129s
max time network
71s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29/12/2022, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://google.com

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	control.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
2728	chrome.exe
2728	chrome.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
636	Process not Found
1804	Process not Found
1920	Process not Found
2188	Process not Found
2184	Process not Found
1268	Process not Found
2648	Process not Found
2832	Process not Found
2828	Process not Found
2456	Process not Found
2660	Process not Found
2024	Process not Found
2652	Process not Found
2644	Process not Found
2640	Process not Found
2392	Process not Found
2412	Process not Found
2424	Process not Found
2388	Process not Found
3780	Process not Found
3800	Process not Found
3784	Process not Found
3788	Process not Found
3664	Process not Found
4728	Process not Found
4988	Process not Found
4468	Process not Found
3564	Process not Found
3872	Process not Found
2296	Process not Found
4860	Process not Found
4276	Process not Found
3540	Process not Found
340	Process not Found
4524	Process not Found
1840	Process not Found
4140	Process not Found
3332	Process not Found
4260	Process not Found
2888	Process not Found
3724	Process not Found
3372	Process not Found
2260	Process not Found
1964	Process not Found
2208	Process not Found
5064	Process not Found
3728	Process not Found
5056	Process not Found
4880	Process not Found
2504	Process not Found
4136	Process not Found
3392	Process not Found
4368	Process not Found
4756	Process not Found
4100	Process not Found
4844	Process not Found
3520	Process not Found
3632	Process not Found
3752	Process not Found
4840	Process not Found
3484	Process not Found
4788	Process not Found
3388	Process not Found
940	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	taskmgr.exe
Token: SeSystemProfilePrivilege	3888	taskmgr.exe
Token: SeCreateGlobalPrivilege	3888	taskmgr.exe
Token: 33	3888	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3888	taskmgr.exe
Token: SeShutdownPrivilege	4652	control.exe
Token: SeCreatePagefilePrivilege	4652	control.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe
3888	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2756	2728	chrome.exe	66
PID 2728 wrote to memory of 2756	2728	chrome.exe	66
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4088	2728	chrome.exe	69
PID 2728 wrote to memory of 4060	2728	chrome.exe	68
PID 2728 wrote to memory of 4060	2728	chrome.exe	68
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70
PID 2728 wrote to memory of 4836	2728	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0x88,0xd8,0x7ffbb00b4f50,0x7ffbb00b4f60,0x7ffbb00b4f70
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,9125386298933732504,3161520184834630195,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,9125386298933732504,3161520184834630195,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1524 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,9125386298933732504,3161520184834630195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9125386298933732504,3161520184834630195,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,9125386298933732504,3161520184834630195,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,9125386298933732504,3161520184834630195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4056 /prefetch:8
  2⤵
  PID:3568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4300
- C:\Windows\system32\net.exe
  net user /add test test
  2⤵
  PID:208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add test test
    3⤵
    PID:304

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3164-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-122-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-130-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-132-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-119-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-140-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-141-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-143-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-151-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-152-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-153-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download