hxxps://dim[.]mcusercontent[.]com/https/cdn-images[.]mailchimp[.]com%2Ficons%2Fsocial-block-v3%2Fblock-icons-v3%2Finstagram-filled-dark-40[.]png?w=40&dpr=2

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dim.mcusercontent.com/https/cdn-images.mailchimp.com%2Ficons%2Fsocial-block-v3%2Fblock-icons-v3%2Finstagram-filled-dark-40.png?w=40&dpr=2

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1536	chrome.exe
1536	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1536	chrome.exe
1536	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe
Token: SeShutdownPrivilege	1536	chrome.exe
Token: SeCreatePagefilePrivilege	1536	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 3936	1536	chrome.exe	77
PID 1536 wrote to memory of 3936	1536	chrome.exe	77
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3412	1536	chrome.exe	80
PID 1536 wrote to memory of 3836	1536	chrome.exe	81
PID 1536 wrote to memory of 3836	1536	chrome.exe	81
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82
PID 1536 wrote to memory of 4764	1536	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://dim.mcusercontent.com/https/cdn-images.mailchimp.com%2Ficons%2Fsocial-block-v3%2Fblock-icons-v3%2Finstagram-filled-dark-40.png?w=40&dpr=2
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee9ad9758,0x7ffee9ad9768,0x7ffee9ad9778
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1824,i,17908162892861836012,15431055325078145507,131072 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1824,i,17908162892861836012,15431055325078145507,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1824,i,17908162892861836012,15431055325078145507,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1824,i,17908162892861836012,15431055325078145507,131072 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1824,i,17908162892861836012,15431055325078145507,131072 /prefetch:1
  2⤵
  PID:4280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8ce4747fdeadf8b6e729a141636c8699

SHA1
8648ff86eceb9aacf1a948d9de100de2b9cfc662

SHA256
f615afe20169492f8beb84f2c5fb227c2afa10c8f070cd8d1ee72060981037c2

SHA512
8216354597e4b182d7d2e2d75e8b35ba2e5f1d189b75b0ac298fd97189c675c1d12709b93d6ce1ea46acb8e7e457fb8a046bc4ce37e60a29e0e5ea18ba438dfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6918c1befe0b2562b964d81264766d85

SHA1
5fd0f425d5b35b979259e1610075bbae05c0d06d

SHA256
ae5f05898693cb80a1945e9c5effefcba0fe1e93fb8794d36435f92060ffd745

SHA512
25f1ffaba06154b795a7d142da066eacd01cf7596dc29a371f93524a5a3e89e6720a5ffc577bdfff14b986a6db9bf62cc835bdd304324cd82f7966281a7182b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
07961430bf23f3762b38ac187e2bc207

SHA1
896eb74425e30559963946b97912c3e80bea4a28

SHA256
b7dc8e690ca18d5a49ecd72265d545c2c2968f24bcddbdef3c151564582ec23a

SHA512
90c466e92d8afa462e4eeb7408b5f918f0eabcc568341c2f388651ea5564c1f2589d0d178a6b1b0f4a270092be870ab18fabf9daceee766c3ddbccc3b870dd19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
09a4e77141a472d6a0b3c81d73475ad5

SHA1
b3e34752df9b0489ddf4fef927dca073a608da37

SHA256
46eaaa514c3e38076fb4313d2a31d0f1f119f891f027ac5414ca6e994149130f

SHA512
89fbfe7110952988a1810a8f65e69cb1f551d55dc5302aae456a819afdfaaf213d205f6b77772a4c4f78c208a76494a404b3eace312e61dd423d5f98a84006f8

Download Submit