hxxp://rclone[.]zip

Resubmissions

14-05-2023 23:21

230514-3cexrsgb9t 6

14-05-2023 23:14

230514-28cxlsdh58 6

Analysis

max time kernel
54s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://rclone.zip

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133285801308794379"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2204	1368	chrome.exe	85
PID 1368 wrote to memory of 2204	1368	chrome.exe	85
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 1904	1368	chrome.exe	86
PID 1368 wrote to memory of 2092	1368	chrome.exe	87
PID 1368 wrote to memory of 2092	1368	chrome.exe	87
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88
PID 1368 wrote to memory of 3744	1368	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://rclone.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd3bc9758,0x7ffbd3bc9768,0x7ffbd3bc9778
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:2
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:1
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4872 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:8
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3480 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1832 --field-trial-handle=1796,i,14802856714133568725,1077130260722130225,131072 /prefetch:1
  2⤵
  PID:2320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
5d817da91aceb3dcbe35626ef63a83c6

SHA1
0fd72abea38c5a73881997330f4724c453bf2e81

SHA256
8f94fa179952224bce7265527887f4fce2f6d5824f5034bceade3b5e7c01e966

SHA512
315d921712d1816937362a4129fbe31cc517525f3c505583ec3a3ade204435e250ea62a1093445fb8731fdf6c311b24eca62af21bb1fd5f8f1d21409de71f7f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f1c841c5628eb8fdd1c2ecd6b57bcebf

SHA1
9eab1a9014b0c0271d095d0347526b106defa53b

SHA256
4e457be023c9da16b1a7dfcc9775a03a9be583bc1ad8de488a859d98ccd18f17

SHA512
cc5d23fa8c544e403b8bf77c39f188bd133a20f3157e1ef09a46709720b174bcad105958b79491a0d390afcd65d77843ab48198d962ff903abf1660c9ee2da6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8ef8a0958984efc0277083ae869e631c

SHA1
0fa4251b109e34208c773f9de06c42ae399d34b3

SHA256
aef3c50d8fefa8c1001d4791fbd861359dba10baaa0cef9cd691a96716324670

SHA512
73c3b17a6a51e01f615e9dc4f81dd4105710d27845bd17769f7aa98011c2cd5ce8616b8f8c599c6e5a6dff610cad11748ac8f5db4866e41e9b11b12c82529cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1f1f95c56f033895df436a6520469056

SHA1
a05ba983c0935057a66051a0026cbb9899104a18

SHA256
8fbd59541b623d4250141f3244eb2337a88d0e5e1bc393041c7cee175d7812f1

SHA512
9b9ac3669f3337738b787251bff897314a6d52cf50f7283b9644cb577f578e5751186dfffad81a101e45a72a80a5b2d4b5f061e716e890536691f8aa307dc850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1909038ab85b41fa8fd0bd37ae9d9848

SHA1
cf6a010e1004ce1a4d7d227a266d61c2d3dc1f9d

SHA256
6cda8c97b7346059882239263f9015c8a449aead094fe0ee7a4ddb47fc08c8bc

SHA512
a017b162e2ea39d094c16ed3104b007a3b75f8a55bd30420beec5e8ea259e912a65bdaa542c9c081f3eb60e9c55aba940850220045a37999a12c2c361f846240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
d49960a732294891e353187440042d4a

SHA1
fb6c29b45c7a5fd7dc5913e5fb44847891971f0b

SHA256
637744ddb8022fd6aa48391d6dea5bbdea19ec5b3b3b884d67ce6cc07e6bf844

SHA512
056e3ffe6d515b4dafb861a102de79d69d3a55a06739a4a899a961be45e1b6f0bb4893fe48f791b6f0f49241a7e1f626ce0ed5a7512523d89b0fa9eb6203b27f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit