668f2520e49618d209ff2d7e15dfa7dc416a95e6fed03ba59007378216aa4cde

Analysis

max time kernel
57s
max time network
66s
platform
windows7_x64
resource
win7-20220901-es
resource tags

arch:x64arch:x86image:win7-20220901-eslocale:es-esos:windows7-x64systemwindows
submitted
30/01/2023, 11:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

excavator.exe
Size

26.3MB
MD5

70df3befd1b3f8e8b016812b53ed0a04
SHA1

0e600154586673dac9d48f5bc15a6b4c211ca6af
SHA256

668f2520e49618d209ff2d7e15dfa7dc416a95e6fed03ba59007378216aa4cde
SHA512

7c6d9fd0045fb5f14d6b8a6a2199397c7e91345055aeced78c18948ba5af2a989d03d41b99f20c53259031058e1dac6dfe28231141bea3455ed5507402999c78
SSDEEP

786432:mNLdz/9GtJ8C0rbxcjXJBYB2SGEiJORRps0VAgb:4dRGjH0rCjX4ISGELRRpDAO

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1520	chrome.exe
904	chrome.exe
904	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1252	904	chrome.exe	30
PID 904 wrote to memory of 1252	904	chrome.exe	30
PID 904 wrote to memory of 1252	904	chrome.exe	30
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 972	904	chrome.exe	31
PID 904 wrote to memory of 1520	904	chrome.exe	32
PID 904 wrote to memory of 1520	904	chrome.exe	32
PID 904 wrote to memory of 1520	904	chrome.exe	32
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33
PID 904 wrote to memory of 1616	904	chrome.exe	33

C:\Users\Admin\AppData\Local\Temp\excavator.exe
"C:\Users\Admin\AppData\Local\Temp\excavator.exe"
1⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefac24f50,0x7fefac24f60,0x7fefac24f70
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1764 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2856 /prefetch:2
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2392 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,8847835502730374929,14364696676285694636,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads