4651774005806deccc2bbed63c4c19e120788ee0a5653bd50cb21aaf4bf3b16c

Resubmissions

16/03/2023, 23:55

230316-3ygy9add68 6

16/03/2023, 23:50

230316-3vrz2sdd62 1

16/03/2023, 23:48

230316-3tk54sfe6v 1

Analysis

max time kernel
101s
max time network
97s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/03/2023, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autorun.inf
Size

58B
MD5

3a4a1d5b223ee4070754f24754a77f72
SHA1

cdf94acdc3555b54a9683a91b8b8f7297982ecfe
SHA256

4651774005806deccc2bbed63c4c19e120788ee0a5653bd50cb21aaf4bf3b16c
SHA512

cd208248b4121271b2f41c6375663c92e0df7cfb0fa545359b0f6a1a31566402557071254d880b946b3320c56dfed3a2bb2a0daf1223d09996eb0641c5dec261

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
836	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
920	chrome.exe
920	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 2004	920	chrome.exe	29
PID 920 wrote to memory of 2004	920	chrome.exe	29
PID 920 wrote to memory of 2004	920	chrome.exe	29
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1916	920	chrome.exe	31
PID 920 wrote to memory of 1828	920	chrome.exe	32
PID 920 wrote to memory of 1828	920	chrome.exe	32
PID 920 wrote to memory of 1828	920	chrome.exe	32
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33
PID 920 wrote to memory of 956	920	chrome.exe	33

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\autorun.inf
1⤵
- Opens file in notepad (likely ransom note)
PID:836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b39758,0x7fef6b39768,0x7fef6b39778
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:2
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:2
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3576 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3784 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3936 --field-trial-handle=1316,i,61640541239778820,18288967711736919718,131072 /prefetch:1
  2⤵
  PID:2424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\51f2ed66-e83d-4565-9050-50ed94d304a4.tmp

Filesize
4KB

MD5
9fce7d92795e1f54b39cba991a1ba146

SHA1
03c2e89f14417adfe3899468766f0acb01102ef4

SHA256
b86fe53de134325bde8751ab69cb9bc06d357e1969b2cdb339e0c084bd1591cb

SHA512
7ae08bd428827b297a411b583f438f9fe691cf0ee59573ca465c07b9455b7ddfdc2be5a110da991a0828662c6c0fcfb9ba80abaac268828be828fa6e08ff8500

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
e517e4db3aaef2ba9655fdd8f4612d25

SHA1
a547c8bdb20fb4fd1f8b1fee3c0750d6e9bc3bc2

SHA256
7b19102d9cbf2f87f63710a8932575bf7fbc951a576adb1ac5ae4edfdfd905b0

SHA512
3af1a6740820d17c1c98800e24f02da6bd445fdab3c17574977620f4dbab59d1ed6d9284b381f00605619398c248be32d28f7a93ae577d27e2f80961de35928d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
4f3f779db9e61c29bb504693b0ba270f

SHA1
629376a890f474b052ccdc6d2f0740259b519a66

SHA256
ab6c8e625047993e8b497e1eae4d8f58d2084227dfa96ac0c2a1cc05a23f0824

SHA512
4467387cba17e2efc59623f78396e08f4f29e9225f823f890d771fc0eff48e5fbef1eb020d2344fd37f800b8f6fbb3291ac5cb4ebbec6a71f4bfeb01a0d79384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e65c73c0-d2b9-4b65-960d-9034f8672cab.tmp

Filesize
143KB

MD5
82da57dcc86f14579905eebc01b64da5

SHA1
2f01c49e70512118d44d62ff97fb3fd229a0525a

SHA256
dfe6c59cab469236a503012e3f36490b9663aed6728b563087d847955a718bbe

SHA512
5f9025503cae8a742ca3e46ee222f4a4ecbfeabe4192a28233238faa5f008e4c03b3368f79868a29de085c4a751520a4772fa0c8ed7bc066e3f76a72afce6c57

Download Submit