hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

6^/10

bootkit persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Endermanch@Petya.A.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Endermanch@Petya.A.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@Petya.A.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247834335349446"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3108	taskmgr.exe
3108	taskmgr.exe
4432	chrome.exe
4432	chrome.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4432 chrome.exe
4432 chrome.exe

pid	process
4432	chrome.exe
4432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeDebugPrivilege	3108	taskmgr.exe
Token: SeSystemProfilePrivilege	3108	taskmgr.exe
Token: SeCreateGlobalPrivilege	3108	taskmgr.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: 33	3108	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3108	taskmgr.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe
3108	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Endermanch@Petya.A.exe

pid process

4028 Endermanch@Petya.A.exe

pid	process
4028	Endermanch@Petya.A.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4432 wrote to memory of 3356	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 3356	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1276	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 3948	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 3948	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 4480	4432	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb17e9758,0x7ffeb17e9768,0x7ffeb17e9778
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:2
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:8
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:1
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:1
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:8
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:8
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1792,i,1547901129295358599,10103565038212031903,131072 /prefetch:8
2⤵
PID:3108

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\Temp1_Petya.A (1).zip\Endermanch@Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Petya.A (1).zip\Endermanch@Petya.A.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
128KB

MD5
1559522c34054e5144fe68ee98c29e61

SHA1
ff80eeb6bcf4498c9ff38c252be2726e65c10c34

SHA256
e99651aa5c5dcf9128adc8da685f1295b959f640a173098d07018b030d529509

SHA512
6dab1f391ab1bea12b799fcfb56d70cfbdbde05ad350b53fcb782418495fad1c275fe1a40f9edd238473c3d532b4d87948bddd140e5912f14aff4293be6e4b4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
3083ac059598e7b4aa11040f744cf325

SHA1
9d413a8f9d7f4969d9760ee3a2aa5736ef12299a

SHA256
c2d4eadcca2428eed324b5fb0deee4b19d1cbaf61b19c58acbddd652151db668

SHA512
7341418ec730ac188cf76c231ca3ba160fbb1a39a292e52ef1633a4a7d08a43bcf5b415b7c97e6dc4574269ca90cabe869e7b15dea02cc46550560443c317ee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
34c2fbbe68933a362d184b02fc146098

SHA1
65ab1a92b674d98b8604bb3a488e4c9cc5560df4

SHA256
8bf76eb1bac6951aeae544233a394272ba4b419fae3e08282441e969cc780669

SHA512
cc2e26ae3a97d8b6d2a1dcbd8e0e78b296f4b74cc50d0f4bacb1543355df99c4746d37238eb3395cffb023e34bfb0e7245a4ccafd04cfd5637792ac65015a020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
852787b31b87ce784723461f89ff23e3

SHA1
21fabf29240aa0430073f4cc70344c020ccab59d

SHA256
95b0b0e9d2f83308f5fccd22dbc6557b098fc93bd5946cea53cd91372bb5721d

SHA512
0e2d7e209d418620d3d1e484c20e621d55597801e317a05c98da6929fa7ce7ad8bfebea4c37ee4f338023c270d014b9d7d47a6f361974f9d994cfa80844f4221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
086e9f96b9b37298a99ae68bfc5ae090

SHA1
1523a710536f161601de4fc6082b7cd367d6f54f

SHA256
8aea48d5722fd8c825e6b0b2b3d39a1ec2dc85017d662bbf4af3c1fd15a1c6a2

SHA512
3827d27cd62b162e304e0c3f5d6e6213586fbadb37e55d489a8e33a2e809b2ab045edde9e580a7767beb73253b68e729a265fe1a89a42aaaeeb787ffa5fc794b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3c62fe3f68bced2462d93422877d1a45

SHA1
21ee9c388cf7b51f7c92aafbb887030b46774cce

SHA256
0bc28cb8a7f723546f325490c7fbdce8721640ca753cfe7e8e921ae551e1519d

SHA512
de3cf5033230d49554032515873632afe619cdd31a20a8d181ab58c708011bb1ec82910cd995415f0c6e4720fb06a91536d5e1b1f0c51fa14eecd50b4d19a263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
81fc811e5f958b434d8211a97d6223e5

SHA1
8ee1e9ede867791a0961f1da6d4c054aaff3f739

SHA256
7c23548436c91170e70732c70f1621f05997b1a50bbc5aa29f9ef4b1587d308c

SHA512
ce3bd35a39dafa9410047c4df7afa36fd580786f842ae404f5b97d866745f4b70dd5b2a2362925b2f027fe536b12420af933ebd042064df96a581682bc18e8ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2217aa3d95125d0eadc971a021f6c2b1

SHA1
4594a7f461a33a9d34f42cd4976439f9d96872d2

SHA256
124e4008bc97e89d6e654633ee4f5bf10de7b7a841669fcd886272dd9d622cd1

SHA512
7437df89cea373cf664dc5758c5bbf5919618fe2e4ec99d7cff3fe66b728f88f5e0cd770d832a1c6168a66f1ce896c4fae2ecd916cf4a3d1a1821f084309ca37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6e9224e298e32c6e5a9e59589a99d711

SHA1
cf321f276bdcda6539ccb1c456996768db93a80e

SHA256
c8c0bc7bb41073d93c3b537fa581d20d7018a144712fa429c5f8781269d3d987

SHA512
8580b8791743cd8ef7354c6e71d7ac9bc25f645afe01f204532928f09fe2fe354dd1a55acbb193805a7c00c67e7f1236a576bff315bf981e159f656175d2aa06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4a440062f2b20509e947afcb1c1217af

SHA1
78be5b49f04bb9d32ce66eaebba1d9f6ba87b4d6

SHA256
54f521b9fa7c69bd2f9d649b79489b09368009c5e992e624f7eb5bc170bc2155

SHA512
1083e204e966b35b1948c3e3374e643154b3329a7a84ef40f1bc30236bdd111c743790f0f1905804fd2a6df2d9a38b58969741026c668aac901502707aace51d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3577724b0fb8d647ab9a9e61ed845438

SHA1
1c578a5f9bef81966f74e5f7ba040e195e7885b0

SHA256
35ced6bd2c5a47964579c9072a561f5e7be90bb21ac912a5d240106d3ea6e830

SHA512
318ce16fb5bfd560cc78fcd921f267c3c7bf454896a2f3bca312b303ad9478b1ce6fa86c3fe635ba5ba974e1e3702c4fbc76363a008ae5f7592ec3aac3fed106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
210b9c443f591fa896c46e711686b3ce

SHA1
5f43283690f8054ab6a6652b59700826ddacac48

SHA256
45fc8a359cd4ad2314f5b777739f99beed04b5dcfb7d6ff88c7307f14fbdcd9a

SHA512
d3dad45ee4e738db0a9c0116c303f970a032556a3011707a7018d0aa9db3b04e7ee6c38e1941b839328d21a28310001bc2f284b8b956e930b6c8de1b3fcbd715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
897cd3d29a2747611f6697a82e0632a1

SHA1
c20ceb2f359a238b6b5729af649c476791c8d1c5

SHA256
6984b81ff27f3509ba6d612b94b5be0183149e0b2ec77c2d3bd824d806f2b17f

SHA512
71bef36304bdd78762a494dd1f2bef4b60b65828cfad12b8b51b10fc3213cab10b2a82fa6c04e00e1f26c5a8b98ad643df83db9d19371048db42bdbaa691ed84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
2d360ebe8e900c3b227f2eec5871a0e2

SHA1
b088a3aa81fa47d40452031b977d98e608474aac

SHA256
843953db352dec4bdc1a27ba5302b1d7f3ecad9e20fca80d47fa4b164d2e3e6e

SHA512
c3f926c7ff3b12b12f3f73d0cd75d8cb48103848cf7ba1ff0399f7c01a879a4d861a2544881e1ebb8229f3a6c648ebcd8fd1c4638fbd8a1ce979479551dd369c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
b70234b647c29a8055771619a33b0b4f

SHA1
b79986904a3c750097de16d81a6fdeb517e4d221

SHA256
c2e5fe799ab3c2489a1bdd40a1c499f8b68f774c650e9fe7062c290fc98ecf25

SHA512
428b1090d69a0b29c59eaa9e0f913c4b2445cbd23820d064d6b424a1b705d3e326a263a81a421ad77e68b0056fd70de9fbdb56b5220da8e2781e11dc16f7bb4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
4a709cd46e88890c3b27e33a362befce

SHA1
1c10d70d48415eb0a8922e17f287709e05378d29

SHA256
95fc4581a43bfd8aaf8da754a63d8636199ce2e9ff029e02122f6987b5715ca1

SHA512
f9621e4d8494a5a44520ddbdd13d25a51241e79991be0a7ab81b4ae757e8fbc31261eb0bb4c207f015bf8cbd8e0010c4c8ce7d919e33c50a21703d7ceb9c6c17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
596501986e6da19d6d16e3d414d134b4

SHA1
74c8fd2882772adfa8b4b85a8f7b33944fd2e764

SHA256
c6c6d5509bdd39170dff5ce6edb290f641622e3597c41b5c338aba0b3da11a6c

SHA512
a9626588a0e62ba0b1e3984f3fa172c1f752d28418f6b25250dbf5a1ef866d9d9246336db8f3dd402b48075042246704e9191ea1d89ae43faee1eadaf01420ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
1a818cc2297249fdf4fced497f463ff6

SHA1
7e4c3f7f3afbd14fca290538c58dca6a7c34554e

SHA256
57cbb29159c38e15c450e632a305f18efa25378381abeae1fbcebb27ca9f4c17

SHA512
75eacbc0bdf5782765c276343ee6f39f8a4dd00c73c0dab80185e7f38b5df664326dd26315f4d71d50f551000f9899a5de55fa600dc9559f1956a170deba643a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5825d3.TMP
Filesize
97KB

MD5
699e7c23d682c84d5a0a015da7e7b625

SHA1
e27e1f3206d6bc7fbcbeb1ae22a8c91a13d109f3

SHA256
0b9b8df557ff4bf06b6befaf30b8ebf8a6a5f7e9559bf8d4ae4c33afb0706ee5

SHA512
982c7a2926f878e5069e5a9578d44ab3a344a09e6a586131aad1c77629cc1d68591eb2af106cf032b6f180d2e293ebb065c281be28c784086833e84b6216435c

Download Submit
\??\pipe\crashpad_4432_FIKJXPYUVRKMOHCS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3108-154-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-143-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-144-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-148-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-142-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-153-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-152-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-151-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-150-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/3108-149-0x0000015BCC950000-0x0000015BCC951000-memory.dmp

Filesize
4KB

Download
memory/4028-394-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download