90e2d50df5ac5b437e21ed7f744bb1bbfdbec751e2093cf497c166cd43acc59d

Resubmissions

26-05-2023 11:29

230526-nls4esfb93 3

26-05-2023 11:27

230526-nkymhsff8z 6

Analysis

max time kernel
600s
max time network
495s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
26-05-2023 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Evon/bin/vs/editor/contrib/suggest/media/String_16x.svg
Size

4KB
MD5

48e754cb54c78a85dcc9aaea9a27847e
SHA1

8d79b23037deb6586e4954305dcb4caee14afbd2
SHA256

d1aa361f33564e8f9d527a01a66c7ce35d73f23417432e80ddf51f562770ee79
SHA512

f6d902b5c73b59636cb71d4019ff45cb77532bf22aab28a8314697e24a62163a94140c97495ad5ce421c09c26e4bcbfe5a815eae27e945c51ccd80c2ba9c3a77
SSDEEP

48:CnN6wkEX+c9Vlt4AFCj93Z0hDC7hSBnukNyhDFtrJGuG2XvS+yZCahDC7hSBnhKm:zJWFCMcfkCFGE6+yZCacJImkArbbqrAm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133295747411893762"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1172 chrome.exe
1172 chrome.exe
4304 chrome.exe
4304 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1172 chrome.exe
1172 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe
Token: SeShutdownPrivilege	1172	chrome.exe
Token: SeCreatePagefilePrivilege	1172	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe
1172	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1172 wrote to memory of 1268	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 1268	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4448	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4636	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4636	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe
PID 1172 wrote to memory of 4644	1172	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Evon\bin\vs\editor\contrib\suggest\media\String_16x.svg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd90209758,0x7ffd90209768,0x7ffd90209778
2⤵
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:8
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:2
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:1
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:1
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:8
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3732 --field-trial-handle=1808,i,15349730791685577179,7509948540026657516,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ccd1fda67ceda6afcf8deadcc56832a7

SHA1
f33bf7c634abae8d2264fa157c95c9fbafb6db31

SHA256
f5f79d6b1d87bd5897ca3e8ef4fb2a5667d67d14b6ffa6d63053eb3e6d6a258a

SHA512
55cc86fb6a3afe32d271485c06f7f64d265af745c3bc7ce166f5cbf4906107d58b1e013af2351ff027cd30fc944820000ee6a7e2ab7d171b36b76fda823ac31b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
80c1ed6cbb7c428ff19ab69fcf42a20a

SHA1
2532e02004c282101a623a4f3b4b6c6272b777fa

SHA256
59726742f5c244e56c10b76b236e9fe3bf62bdd476028abab294436362f55524

SHA512
12b9c435fc1ae2d3ba4d9dc18180187e9f3cc9d3bc23301320d45d0b48de7db6a29d11662461fbf946f2c12933cfa3cf958efd54c1a9daed5c1bea32dca6fcc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
81558208a348dc08879f5d8a1addce45

SHA1
63ee952443befb1eb1cdde21d11bedacfff7bd8e

SHA256
d499ca7ad3111766cebb51f1bab6d90127ed8112bca8788c6e41063ca3aaf99e

SHA512
068b4d7f8416881b9296df59acfbbe8cc5c3c297a3e866e295eeb01123c89c3c1c4f6ef2009b980e35944cea3cd1beaae3d866cdea3147c3620c040b9b89fe34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
153KB

MD5
d974a5eb68303c02305121fc33dec595

SHA1
da89cbf3a0a576e568b5d907c9b4994fb6ea7898

SHA256
01ba7b615f7aded64dbb234d5e54f693882db465832aefa1ac966b49b41338eb

SHA512
33a810487cf2d6bd6ae6aa79bb659ba2a5297761c3169261ed3d363b893b07bfbd6b272720119b209379eca0b458e853f918f4e78e1ab32637e1d4fa2c040f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1172_UNZJPCUYNABIYOPO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit