hxxps://embed[.]filekitcdn[.]com/e/g4CFcx7cjXF2Z8TRZ1TmWC/wRskxtz94nLDmYjU2uiar1

Analysis

max time kernel
150s
max time network
141s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05/06/2023, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://embed.filekitcdn.com/e/g4CFcx7cjXF2Z8TRZ1TmWC/wRskxtz94nLDmYjU2uiar1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133304309464349314"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4120	4128	chrome.exe	66
PID 4128 wrote to memory of 4120	4128	chrome.exe	66
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 2072	4128	chrome.exe	69
PID 4128 wrote to memory of 3048	4128	chrome.exe	68
PID 4128 wrote to memory of 3048	4128	chrome.exe	68
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70
PID 4128 wrote to memory of 5116	4128	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://embed.filekitcdn.com/e/g4CFcx7cjXF2Z8TRZ1TmWC/wRskxtz94nLDmYjU2uiar1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xac,0xd8,0x7ffd4ed49758,0x7ffd4ed49768,0x7ffd4ed49778
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4476 --field-trial-handle=1752,i,16814847680634448527,12559599907830161400,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
707B

MD5
47c42993c65f23ff8797c1d6edb4f56b

SHA1
b8c1899b5402d41fc6d5b44c6ab6f80916ec3625

SHA256
b60493815c9a0159733cc336d44969113ad11925e30ccb34991113caf2b788d4

SHA512
cf7b81e5fc75da0ce18085cce21efe53dd1a55c47a766ad955132ec077c1f26555fb68d0212c0e5f12d0ba0ffb0a6e2d2e0cfc94984954b4cbe86a14ccc12edf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2af7d6ab17d1d3c719c726735e858fc1

SHA1
9959a3a30c6cf91e0d031e830cedbf096cd801ed

SHA256
8baa4e4d6e0a32fcb29bde4109cbfdc8554edc5440505ee56090859b90f4c401

SHA512
423368f5e87b979576da1d114041301d6f1be20c2dfec3f4eb2f95a59000bdae8a2c41c35a874e815e7e39346050feca83f5bbbf3e769f280fac639ca0cbd717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3588667631ae587e645440b570b8a7d4

SHA1
3219565f2b4ded2c04d0ad468bc91e15d09cea60

SHA256
b5e11adcd5c1dbb8c4c72964e79afcf41cf9806e6dfa0ce4210105e2aded5a0b

SHA512
b0badddae3818e69b3acc20fc7c42b99b3616efa8cf505d689c6da00844d2dbfd3bf0d19de3f7d89d8545b84711c1a7c33fcee3845b90c77f106546a4a4b1091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5c66b2dfeb9d8cebe48e5ba37c84aded

SHA1
aec642b17520873fd6ebc862b6ee24502e59e9ac

SHA256
7b7c30e0ac9726591e534aca4bcb0322c464b6f3283e68996dc14465f00a467c

SHA512
48172b6a3934256685a60fcd9c78d06679afd481c1552f5d0487b2658c282b1351d98413d3b9e8569753970ee990ed2ba5f4855e540d5706b2594a76cf46470b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
e74e9720ea4094d425abd74f2453661b

SHA1
3f9cc3559141e7c383f276108496807be7c9ea82

SHA256
7eacc647b2820c91c294e750b5e1e6cacac5903f183e1a000306921bb74a1c07

SHA512
81523cb027db0adee84225c1c5eff15abe2ef731e1637d65331073bc954e2dee5e26f8100cdbd7583c7640ae30b85fba61247638f593f4743647895d6c553f72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit