6f068ef52b51e7d82956c6d257b9147e450203fecc75d8c4c66965254a3f55df

Analysis

max time kernel
191s
max time network
293s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/04/2023, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AW.pdf
Size

52KB
MD5

1dc5d8199e10209124f50294a5e4fc0e
SHA1

d51d2197739d6c0a7c69ae888e61cdb9639c60a3
SHA256

6f068ef52b51e7d82956c6d257b9147e450203fecc75d8c4c66965254a3f55df
SHA512

9c01fb66c83ccbaf81df7869c7d8269518cbb6c6f30cc0f9fc7062a9de74cb67af777b8aae81ce04bd68c13bc919c79232497d2501fd90e3a7637d5e3ea2a446
SSDEEP

1536:nHGy0C/AiE5FIm4lIyWOgUyZZXqiuCT6W23:nmy0Ue5T47WiyTX5uSX23

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
760	chrome.exe
760	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe
Token: SeShutdownPrivilege	760	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe
760	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1736	AcroRd32.exe
1736	AcroRd32.exe
1736	AcroRd32.exe
1736	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 616	760	chrome.exe	27
PID 760 wrote to memory of 616	760	chrome.exe	27
PID 760 wrote to memory of 616	760	chrome.exe	27
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1548	760	chrome.exe	29
PID 760 wrote to memory of 1060	760	chrome.exe	30
PID 760 wrote to memory of 1060	760	chrome.exe	30
PID 760 wrote to memory of 1060	760	chrome.exe	30
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31
PID 760 wrote to memory of 1288	760	chrome.exe	31

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AW.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefac79758,0x7fefac79768,0x7fefac79778
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1224 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:2
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1340 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:2
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2276 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3820 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3796 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 --field-trial-handle=1328,i,2865260891245543670,15951251821084810318,131072 /prefetch:8
  2⤵
  PID:2688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\348da631-78be-467f-872f-ef04d1d8131c.tmp

Filesize
4KB

MD5
46d6ceffcd7a60381614a893065ea0ee

SHA1
05374b4113ce5a2a46a311486a0aa5f337ead2b7

SHA256
461ff67636c738daa8eeb31a91b24b7d179b050c488d7d7ca3b747b2752fec82

SHA512
572723f2987b1e8e00fa6bf471c3b4a279da2d427345d27e96e2db8bbe320cbddb2649c708904b158191d470153c9e6d2f7504f2a3307bb50f59ce4407f597ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6f5439.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4c63d32782c0d1ee51b5e276558cf244

SHA1
e517eff707f22f92f6c315fba6815e9487639c53

SHA256
8eee572f33717fd02459cb4792ae05e1acb55c5ef5518550f0ed6cc9b7dd9ffb

SHA512
55370505225902ae7e60ec751ed3d1e445b1be080a8b9905be706c0ebe7bc62c787e5c83b55f54206d61689b8ff3931ad17c60cf7bad5faf29ab0d777bcfaf30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit