hxxps://drive[.]google[.]com/file/d/11oNR7vh5xo4mRfz_XNyt9uRi_ExhEPMC/view

General

Target

https://drive.google.com/file/d/11oNR7vh5xo4mRfz_XNyt9uRi_ExhEPMC/view

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294083085189234"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1960 chrome.exe
1960 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1960 chrome.exe
1960 chrome.exe
1960 chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1960 wrote to memory of 2116	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2116	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4560	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3472	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3472	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 220	1960	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://drive.google.com/file/d/11oNR7vh5xo4mRfz_XNyt9uRi_ExhEPMC/view
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb657e9758,0x7ffb657e9768,0x7ffb657e9778
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:2
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:8
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:8
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:1
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4448 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:1
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:8
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1824,i,15149398103045318398,9892540410257873758,131072 /prefetch:8
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e73e85d2a5ee54d73619a6277b8a6661

SHA1
94de791c72768278899a083e671e715c955e99db

SHA256
08c7a21264b08e6e584c54bd4f619e599b5c5cdebf16b1f3f76070dd813f066a

SHA512
48223ab4c6c1c6198bbb552fde11eb25a54524b10cd24012e1920efb65a02726fc161d489df6e7fdcbcf00555c5e85cdd7994d72a8508c0bb8921efb3dcd8496

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d7d7e974dd35058dbd2f45876d07b90c

SHA1
a1b70b7817bb35f217af010f50dc9fd9c8c26e85

SHA256
b2e0e9db00c49596c7c54f29fed1ab73fffef301463dd8353f282f56ec099aae

SHA512
1f454b5a427660f18ff627ca0714c6eba630426501bb848bdaedf29d38156d00e10ede1695b58e4c73ccbf2354065aa1833c36185b502fbff8743f93eb8a0efd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3936961121112f79e81fa88e96081b1b

SHA1
703eccd1ed05cb3b16976c4f13d7a07c85c5675f

SHA256
4a1af669df27ee2e2528b47f4f3c1dcdbd073929de6d4d38a9ed5fee6b5003ef

SHA512
ec9a2ab5a14f557044be894e31b5e9f9ed64b20b53818d576711c5ff46cb86539395b569de633a218a12e158468baf011e476d5bd8462d9789de597a383c15ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
5a5f24a79157d17c49c721f27ccc0866

SHA1
48c807f0dea8c32b1dcc741f3be618acd246d079

SHA256
8bec4270146f70cf75103e2bf4895af0626c2ba15b966619a9f0183be745c3eb

SHA512
84e305eba2785e014a42725946add4848df0561af7c3b80db775717a1892007bf28a8bee4dcc74732f68b9b0b96a84f83b2a0898097ffd883f99d442ec3ed2a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
152KB

MD5
8600b3b8bf94bb4fc4242fcdd9eead1d

SHA1
5cb2cb05edcfe4ac7321fa52fa1fb8e0a5caee30

SHA256
775241d729d5ac37419d86a97e9297afe25c0cc9d35e021836cc5e58904188f0

SHA512
6bd0e266e0b83ac38309e362b2e7852a34dc5ed9782a05fc80a745381b4dfbe6b60ceaceeb3f77eba618b6ce28559b66525214c5f8539a03dab23b4a431f26f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1960_ZYALMAQASIJZSLAG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads