Analysis Overview
SHA256
19363b70d7ccdbf10eb7633628f1e0d08fb0f85cff897fd758cf2b61c93abd81
Threat Level: Known bad
The file a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.zip was found to be: Known bad.
Malicious Activity Summary
Systembc family
SystemBC
Executes dropped EXE
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-05 19:52
Signatures
Systembc family
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-05 19:52
Reported
2023-04-05 19:56
Platform
win10v2004-20230220-en
Max time kernel
195s
Max time network
201s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe | N/A |
| File opened for modification | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe | N/A |
| File created | C:\Windows\Tasks\wow64.job | C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe | N/A |
| File opened for modification | C:\Windows\Tasks\wow64.job | C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133252052291863213" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
"C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90f4c9758,0x7ff90f4c9768,0x7ff90f4c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1408 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3212 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3340 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5084 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3816 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5136 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe start
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3820 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=940 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\" -spe -an -ai#7zMap25031:190:7zEvent12167
C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
"C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5800 --field-trial-handle=1832,i,6986312130113181635,4053376214327080810,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.129.198.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 184.28.198.211:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 211.198.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.233.140.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 172.217.168.206:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 206.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bazaar.abuse.ch | udp |
| US | 151.101.2.49:443 | bazaar.abuse.ch | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| NL | 172.217.168.206:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.250.179.206:443 | play.google.com | tcp |
| NL | 142.250.179.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 130.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.136.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.131.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.251.36.42:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.36.251.142.in-addr.arpa | udp |
| RO | 185.198.56.2:4171 | tcp | |
| US | 8.8.8.8:53 | 2.56.198.185.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 142.251.36.42:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 216.58.208.99:443 | beacons.gcp.gvt2.com | tcp |
| GB | 216.58.208.99:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | e2c14.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | 99.208.58.216.in-addr.arpa | udp |
| BE | 35.240.1.200:443 | e2c14.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 200.1.240.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons3.gvt2.com | udp |
| GB | 216.58.208.99:443 | beacons3.gvt2.com | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 51bf86678757b7d65995666a2774c0f2 |
| SHA1 | a5bd413bf0046e4dddcda5b83d3c1f57c6136a13 |
| SHA256 | 703e06d65919c2587706c1174651b9ef01acfb58c2e7a0263490db1c9ed39caa |
| SHA512 | f15f022a2bb2f7bd7a85a09ef3b779574e960724045215a4c7d84efa95c49d64ebe72eefecde97959a90ae7a35c23680817d1a1f61b88b5dc1cf54683c5aa0a4 |
\??\pipe\crashpad_4740_JYUUNQPCGWDMSBKZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f0dc66a92d28facb04db910f8a91f3ad |
| SHA1 | 87b2c314d3f629bf22a84ad3f7ac090f38175316 |
| SHA256 | 7348a52cc2d7736edf4acc08c8989a49883908692c84a6ba12df8d8dfd228fb5 |
| SHA512 | 7434f93835d26122619e8eb70c79632d52932329557675f445970f50d0e0c7bb97fafda0dd688290f8268c7306f1578882b3842ead012ebd344b21ee6584f752 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1e852eb1e26daf5eb73156e9225130f9 |
| SHA1 | 431e269e0ae209c1685f1fc12225790ce812e81a |
| SHA256 | a3c732a347f926fdc7ef20514150ff12a705499ce5f290088b23bfad3dfc99bc |
| SHA512 | 9152f336901e99e13e32b3a42d7f103d4c92c347f23e011b0af595a5895724f08db0854fc0b16c4f593f0d5a1c92f6b5570b51b1853940ff180e8c83e194e389 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 261c2147428b9698022934ed615f5426 |
| SHA1 | dbbecaceb8c35598b2bc81fcb6f2fc120d103094 |
| SHA256 | a749e9c6e358578260badb757349c2c7ed59426d756bee6ed3f34d1632518938 |
| SHA512 | b99b7ef457eb7169199d15bf70e17f72c565593507e13b4496976790ba53eab45f781c9e5cb5c0dd83acdc06f7fb8ffeb39fed7d307cd6790863195aba245e1b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8a03b3f4b0bbad857c55237656cefb9c |
| SHA1 | 3193498fa246d92d58a39ed2469def770331b375 |
| SHA256 | 79a3c302ec6be23141730f271a460816a21f5285e72ff7b8c46457b081de978a |
| SHA512 | 94cda64ee468115b31aee3cb681a85cdedcc5ae1911fdb2ea840b5c16e888c3cef1d1a443d44c50b723d844b501e41b85243a0cd6a80efa6cb869f88fca75bf6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 68905cde7b78ce9ef3f08794b94127b6 |
| SHA1 | 7b2c0764bd7f72a3858f14d1fe054c1a41e013ba |
| SHA256 | d94d540822116ad906a5d1f8f0970e22d519e4c85161212617a2d0642baa7ee7 |
| SHA512 | f916e0561e1735d09b049f9c23c3dc606fb8084a673abeff274beb539dbb1e7cdb83c2c196a44e76b2e466dfddd299b2b85fdb388144e36489946525d07c5ec2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e1c7b83232c9dece215e6a013b4c5376 |
| SHA1 | 24425346d93b42fb07711b3a6a9753bb2f2b3319 |
| SHA256 | e48c81c1dbe733104682419535d9f6fb92dfd082224604048b428b0a1645d153 |
| SHA512 | f6c063a6277b8e6a98546a6b510179cd8b8896a8b739722866cd7c181a5eaa9810940faf46d380ecea47f6fb7baabf31a70ab54faf9219fe3e64262c69c57efc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0118a625439aeda2ea5123983de7d92d |
| SHA1 | 0a0f0f2e2aff70742fb49ad1717ca0c15bc7d6b3 |
| SHA256 | 5f3c2543f8d6d23e7106dfda4eb7775c3796b0520810fb35ac1dda7646ee21b1 |
| SHA512 | 9f4555d979d133011a4109d35a0c4e28f29d377756d5bf097aef651f828771f5b0155e6a239aae9d0653ec5be1c975791237443ab342ccedba753b420ba0d7a7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013
| MD5 | 3b5537dce96f57098998e410b0202920 |
| SHA1 | 7732b57e4e3bbc122d63f67078efa7cf5f975448 |
| SHA256 | a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88 |
| SHA512 | c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
| MD5 | b81d6636c3ad72c63e532e5180eaf7f9 |
| SHA1 | ddcd059999fff6218e98af62dbe3fa9c885a0de8 |
| SHA256 | 2fb4351c49b47b7cdaa9516237a8b1e690e4448339d09d70a84c658729e461ef |
| SHA512 | 4f0b87bbf60061a8efca4906554f958b7c28cf582452e01a8316d8c5ea8c98beda6c3230afff207f0b92d316c4c2e0ca1b4631e7d7364344b4a76394115af06b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7254070c93bf3272314cdaeaf8fb5b8e |
| SHA1 | 1d724bf7ce99f71ab60b8df77afd3bc052f12b47 |
| SHA256 | 77ef52405224153de7808133ff39254e30225e02140f03098494a152dcf8d147 |
| SHA512 | d74fb0e536e13bc6be1713f5d347fb3db02c0dcf37904e35f9ceaf92705a926b85175c0eef7cf72929ba7c7ae0e9dc9f4e2e45defd6ebf61690d293f6c33b456 |
C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.zip
| MD5 | d494f04b1ac2db7fe20ee1f314f96c5b |
| SHA1 | 21dadf43d21e7341ab8b635ce055bf0a5dca2fe4 |
| SHA256 | de914d46c6d1fc285229ed051e14011d52e24a9322f70211db9dbede19918977 |
| SHA512 | c663289dc73b969df052961bafc60ecc1be1c1d1bd479b3fccd1a0bfb67da6b029383f632f83a4f4e46965cdcdabc28ff81d59eee885b1d446230d25158e388a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 468d3970184938f0272d6702245bfb11 |
| SHA1 | e411d02b549113f5717a3cc7a83d4fa4b9bca698 |
| SHA256 | 9c9c359bda2dfbfe008fe85475fcc4ea7f37ce668ad2e7824624a7fcffb962b6 |
| SHA512 | 87a1d3c2e78c985cd98d94538704df81fcd47aa3b014e772ba5aa70f6353db8b7b463e41d6454f6e92ba64c9633fe30b7efcc80738c2a38893c756afabc28a64 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b24b8e6f-58b1-4035-9dce-fe9eecfbee1d.tmp
| MD5 | 4032a30f729619f228a00e2eb795d7b7 |
| SHA1 | a271d024e26b85b3d4ecd34fd214d96a3a0ad06c |
| SHA256 | 1084cbad50e8f9d3e59f331a18f10dfe09b4d60d8bc6589aeb36bb2f408e7cf6 |
| SHA512 | 4e487c8fb027b10ca46057e72cbec0791852cff7e98baff237233fede6e485b573c6b2a9dc89eb394c08c70483affb310b04c4e77980965ee75003b3f9977a3a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | d3d794e96e158abe952379fed8b127c1 |
| SHA1 | 3cdc910de4936fd515f1667bf6552ddfd8de0bb5 |
| SHA256 | 8ba8325b31c75a01b5b1a2d737799871f74636d669dba77e5423e43014dd95d6 |
| SHA512 | 1a6ea8c446784a200524c30d46d6e441939372fa6021fb84ab0ccc8e75668023516b99f16d2f9358d21ed69e1d1d9c93184c8de9e3819d5fa64a6c1a41556cea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580f5d.TMP
| MD5 | ef15ee2bc7b7c45f4b0d8f7b4f14dacf |
| SHA1 | d33fc93c9b58972f2b90fe30517e54f76680f3b7 |
| SHA256 | 9a807e657f67a49728ba5c019321823dee50acecae87ae1824072d06177ea236 |
| SHA512 | beb792929e4303fc813238e8f4b5e54809dd12929fbec5254ef832a54a9c52362454f879d8f819cc7c65b057416ff07e297fabfa0fa2c76d956e130566f2d61a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | bee9bba62a23cb8689747f18935e3ae0 |
| SHA1 | b21719e9a3707f2efd0304d5cd9d651cc9ff538f |
| SHA256 | 4545f44e3d19ac9a0b7f3c219eb19d5f8d403779ab5ba253d11c10c717c9c2a6 |
| SHA512 | da16f5ecfb349b76bf55a187723d12c6f02accc21b3c37bebb3d444bee57bece9c74c8009581f001b3ec3b31e06f4eb6dd4aa233684007dac8a90a9c7644e981 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 32a8ebf5efe9a8538b41740efb475140 |
| SHA1 | 1aecfee5f435f3d74415c8838c28e2b399e12029 |
| SHA256 | 5aa0d7e12757ebfa4f41d5f66031b3bd2d7bf1be92891b409212e986906a89e6 |
| SHA512 | 131d65831ea8f0ccea07e12ed6d53eba504007c45429ba27839a4e80d505fbd74a293d61a689cb10fc8017e823ad92e840e539aebbd8a9b1be7268dfcb62756a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | c490a7dba4053c0d53483cce9fac5c3a |
| SHA1 | 9ef2bba8cf3f44bcf16b1ce43361431dd66392a7 |
| SHA256 | 82b775bd1c15a8b00e4a0dca301920312106f319ad632d32c7bfd5a30445cdde |
| SHA512 | bffccd714b171f508d564ff4dda3433457383063cc7dd6b61273e215b36aa77c68bc2da8609634187fc4158ffa701b598beb826ccde43955f42b9af430c33fd4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 51380d0a331a0c7f38b983b58bc86c45 |
| SHA1 | 6fe15516dab51c46914aa8a3aee1a9340675629a |
| SHA256 | c9ce169836e91e6bd75a9e87cb41c59dd44a026eac4c549c9292c60e76eb8dd2 |
| SHA512 | 6e3fb55202088cebb4ab64758682b5a01c4edb4b09ca142b536e5dcde4121dee4891f258fe35180b3074bde74389accc96b40cc7e55f7f1f1a82098c16cba2c8 |
C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.zip
| MD5 | d494f04b1ac2db7fe20ee1f314f96c5b |
| SHA1 | 21dadf43d21e7341ab8b635ce055bf0a5dca2fe4 |
| SHA256 | de914d46c6d1fc285229ed051e14011d52e24a9322f70211db9dbede19918977 |
| SHA512 | c663289dc73b969df052961bafc60ecc1be1c1d1bd479b3fccd1a0bfb67da6b029383f632f83a4f4e46965cdcdabc28ff81d59eee885b1d446230d25158e388a |
C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
| MD5 | 489e088030eae6acf86c690cb42352b4 |
| SHA1 | 943a6abb8d2ff25ae6b54c953b211879328a5123 |
| SHA256 | a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9 |
| SHA512 | 78e7d85f57f0b85a71c617d4bea8783b433340a006756064181745a85b3de8d49f66ca3b460414406d1e83b525134aba0f6451c53b95f5ed482604c8395e6b99 |
C:\Users\Admin\Downloads\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
| MD5 | 489e088030eae6acf86c690cb42352b4 |
| SHA1 | 943a6abb8d2ff25ae6b54c953b211879328a5123 |
| SHA256 | a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9 |
| SHA512 | 78e7d85f57f0b85a71c617d4bea8783b433340a006756064181745a85b3de8d49f66ca3b460414406d1e83b525134aba0f6451c53b95f5ed482604c8395e6b99 |
C:\Windows\Tasks\wow64.job
| MD5 | ed66f8f7c249f3373a07f0f053844bb2 |
| SHA1 | 7de3e56fc3a6600fe979e95d829e9ef131110ba5 |
| SHA256 | afcbb68cc71343c13774a10d74a9a739e8661b2f068beabf8ed1266ab966c18b |
| SHA512 | be5dcab2dd0e39b81533d29fdcb8d20020d64222dcaf16523a8d0e1ffc8b5b8ae89108be4ffd29628ee8b877554ed2105f3de555336c3cd0782a16578a4e4be7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 15fa306707002f1055178ba444a890e9 |
| SHA1 | 09eeab396c087f5c1e5a513fa981d52b7a6451c9 |
| SHA256 | 236e665568187db2335eb3df93260151f1a1d37527d7de296f495c8aaac80e65 |
| SHA512 | 15740a878372c26ae44a08ddeec7a3f593cebf43873281014a013d927613ea3be025608d1b572735855d6bdcb37d111d107e10e52520868ee57d43f1642f3545 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-05 19:52
Reported
2023-04-05 19:55
Platform
win7-20230220-en
Max time kernel
79s
Max time network
141s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe | N/A |
| File opened for modification | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 432 wrote to memory of 1152 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe |
| PID 432 wrote to memory of 1152 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe |
| PID 432 wrote to memory of 1152 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe |
| PID 432 wrote to memory of 1152 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
"C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {C2AE5A8C-5AA8-47E7-9C04-D4DB3F35E8BA} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe
C:\Users\Admin\AppData\Local\Temp\a21619b981f4e2b4a1858f0457b42491ef99688278816a66e0652d745e110bb9.exe start
Network
| Country | Destination | Domain | Proto |
| RO | 185.198.56.2:4171 | tcp |