hxxps://drive[.]google[.]com/file/d/1e_rfLZn1FKC7CILXWGKWQiw8qKb2qHOm/view?usp=sharing

Analysis

max time kernel
1802s
max time network
1696s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2023 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1e_rfLZn1FKC7CILXWGKWQiw8qKb2qHOm/view?usp=sharing

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133302939334858821"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

812 chrome.exe
812 chrome.exe
484 chrome.exe
484 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

812 chrome.exe
812 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe
Token: SeShutdownPrivilege	812	chrome.exe
Token: SeCreatePagefilePrivilege	812	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe
812	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 812 wrote to memory of 4596	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 4596	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 1756	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3396	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3396	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe
PID 812 wrote to memory of 3624	812	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://drive.google.com/file/d/1e_rfLZn1FKC7CILXWGKWQiw8qKb2qHOm/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd74129758,0x7ffd74129768,0x7ffd74129778
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:2
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:8
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:1
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:1
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:8
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:8
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 --field-trial-handle=1800,i,15948830949812904004,1732598138011102351,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
6488cab7e6a11a06ba29e460d672cafe

SHA1
3fb4c7723457441f709514c52520eb08c03b06c6

SHA256
b8971a6ca061121f5058f2dd0d8e195d6a1c5fdd0cc5e356316f0171e80989c6

SHA512
c0a82f8e65059a34569995964c3256aa201c5407b287f09c47d2b1ebd539d83cf95b48cd551aa0e9bb0a04483cbc32d2ea9488e88ebdbffcd8c2d6c159234c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
983571bc66a6e037b93823f71dd563f0

SHA1
11967ae8c587481a004f6c8b19627f32b55a88ce

SHA256
4a055e09f773efc8b2b9b65fc9e1a56cdb0604e2c270b693f2650039ba591e64

SHA512
6441568e5324ed40c7d947b08a35bb7ce39ce6a4484ee60074885fc87aea6d56e787140def48b131d1949e3bff78ffde1d0c1dd689312e2b4525b22716b85a24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
b4c1aaf86e9e57a490c3e4633eca4f00

SHA1
030920bbb3833333e66c8693cc6bbf0fdec2d405

SHA256
c1695482a98d99e4f1991c18d36b562180e1a010e9f50cac87c24606b5c0597f

SHA512
b86e190b3429d79b055e123877d49b9a30101f03b130bed8447ddcae1c80335dd021a05f144b0689fb2ebf4f133327a8ebc3b2a7c4a55ac59b978384ddd155fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
420981929f79dc4b5a550750efcb44b8

SHA1
3ebab8da0d1f0a821f5ddd64ca61dda5e1d54d28

SHA256
93889ee08b43dc884c98d183badad1fd84224723163807cb071cd4d12d84bbd6

SHA512
47bbf502b017cc58fe5825256094163bb8d3d62efcc0a04921c1d97b62ab9406f257e5dfdb3ce3b7af504163caf6fc0cd3df8ae1b3f8abac20a3a6c07c6a4385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
746f079cea5ccba3bc476f25b5d276cd

SHA1
1f74b6bdeff71f22c049b05672f522ea265574c6

SHA256
81ebd30a615009843f33f73b477d2e3637d78612d4ddf01921e10e16788cb15f

SHA512
3617358c59800f9f5946070a578ba33b58bd60839188802081801e6146e69742a6f22cdcb874e9aca3c314f7cd2eb388c65d67ea5d32bea67a50a90c124d1562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
9ff34568a1468d1d2232294c3af3062b

SHA1
175ec08aa7c2082a46c1168c9dc6b3cd117a74b0

SHA256
5442ba0053decf913dced129099a71bdacb1a37ecb5d2c7bd763a90520c443fd

SHA512
d847c66398ff1f955a63bfd59d2e6e0b96930ad6e669a8c4422ed69e5d6a09f7323b166ee2790755d144d8ad72674c025a7d3641c296d8027cb6624f83634a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
e7ee05495f9c8417741566c5efc6537a

SHA1
7bb2347730d0705d4425211dde70a486b889a1a4

SHA256
3e5f63f26a1a8346cfa85bfcd44ea7d85f7f4a1b5fcdd720fe6226f4813f75a7

SHA512
2514afb4b9c3875989295aefa06f167067126b7b5f655e773873c8d69c07f5e9193d97fbc795e09dc2d8dcd528ae534dafdcb1af1cfeffa564326a0e5b0bbd07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
57f4bdc1fdfe91da7152ee001aba5543

SHA1
8a10445ca94f7f68588edbc1a0a102547eb5fac5

SHA256
ca15f213bfb4537daee40f2d25836eb4c4e77709613639302c792455e3ffd159

SHA512
489d9ebf99e36f5b5528957ecb172b352cfca519516e6b6f8d588df3de74ceae1bf55004798b9e38630e9b2a6084075b360a213dcaee5068f674a6bda0322110

Download Submit
\??\pipe\crashpad_812_DBYMESCDDSXQFJPV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit