hxxps://barcoprdwebsitefs[.]azureedge[.]net/barcoprdfs/Data/secure/downloads/tde/Active/SoftwareFiles/ApplicationSoftware/R3306183_44_ApplicationSw[.]zip?etVFM82KojU2XzppK6LLLdUiN1gFhKIaPMSVhISegk4_haJ2KPzUpTCVF3c-Mg_UJad_sj6tea-_ThjxKP22e51k1nBl

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2023, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://barcoprdwebsitefs.azureedge.net/barcoprdfs/Data/secure/downloads/tde/Active/SoftwareFiles/ApplicationSoftware/R3306183_44_ApplicationSw.zip?etVFM82KojU2XzppK6LLLdUiN1gFhKIaPMSVhISegk4_haJ2KPzUpTCVF3c-Mg_UJad_sj6tea-_ThjxKP22e51k1nBl

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5024	4272	WerFault.exe	20

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133233013782696131"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
968	chrome.exe
968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4264	4060	chrome.exe	88
PID 4060 wrote to memory of 4264	4060	chrome.exe	88
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 3860	4060	chrome.exe	89
PID 4060 wrote to memory of 116	4060	chrome.exe	90
PID 4060 wrote to memory of 116	4060	chrome.exe	90
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91
PID 4060 wrote to memory of 4268	4060	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://barcoprdwebsitefs.azureedge.net/barcoprdfs/Data/secure/downloads/tde/Active/SoftwareFiles/ApplicationSoftware/R3306183_44_ApplicationSw.zip?etVFM82KojU2XzppK6LLLdUiN1gFhKIaPMSVhISegk4_haJ2KPzUpTCVF3c-Mg_UJad_sj6tea-_ThjxKP22e51k1nBl
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff817be9758,0x7ff817be9768,0x7ff817be9778
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:2
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2812 --field-trial-handle=1824,i,3335875067981262760,16192742019674542665,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4272 -ip 4272
1⤵
PID:2808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4272 -s 1772
1⤵
- Program crash
PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
df2ea9f2f36a4b826af1289cd46b36f3

SHA1
8c4dbbca8f6c956d66450a6440c7ff9a5a383393

SHA256
b6197c6dd5e746bccc294c896d656682e6c0bb4f591aa8594a33c94520538675

SHA512
4fdb9852c3df31a26812fb67cb6e12f944301364d6583a0ddec1f981c4382dd6fd718140f88fa42797e5b283ae4214b0ef9df4b6b99b79757370d5c14b681208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bc77aa1a495d80089dbd6b762fd8e028

SHA1
7c5465c58c69f0c38eeba004fa7f3d4d33add1f2

SHA256
17193058e9da2140b6a4a9c1eb6a8f2670cb7553a8916816fec961fb55c6f9b6

SHA512
e5879dd7dcbaac9752c7f0a544d7aa37815689f31daa8a07bf81a46c513d275af2528262d30be2b2ba15011fbfda7e1cb2761495ba177f9b222b5bb9371b3909

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6110319ade341b88c2101c9449c569de

SHA1
54146f87d54c577f296b8d5a43804aa364f6017f

SHA256
8e4c6411ffc4e2108bf2157a7d3de206dd115295340edfa060420c57bc01d81f

SHA512
15eadcee00ec6c0707efdaf6b342b1e48b9a343a3fb2792d2d71ff40fea474f53c1738f109401df3e9138a88947ad516fb763b76c696bbfad6f5ceae2c8c7b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
629b930260af3821759de354404ea06e

SHA1
ffcdc7a70e54009cb367a3f572c2b0fbdcfee80b

SHA256
dc7ac0b41405d86f3eceea0310be0f2b8bf2d577b8f1c8df7a8605074dd03511

SHA512
af6b43a0fced68ab57d90609cbd6a44622e66b274dff5b3b5dcf3408c24b8196baf594ba9b76e1dfd44d47f32e662836b903392da424458d7644f172f34a77b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
1a94c0ad51a32a4f1eff75daf4874481

SHA1
79bff1b817543543896cfe004f1bbdb6e0288234

SHA256
fc5410e3c3905dc13ae3111371adb0c785484a4b786036baa4a695ca7eb1e036

SHA512
79b4f228c680bcbd35d9cb8470d358518c196e16d8a07b06ca199351f6f7523f40879789585635f98611c25b38bc38ef95b51f4b483a73bd18398a0d95acd4af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit