4b7b31141800c43ed67acd6b0c9c9a1845618ca51413db51d355fd9b53f3302e

Analysis

max time kernel
22s
max time network
146s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OutstandingInvoice38410.htm
Size

451B
MD5

23a28b7029a01c97e66a4d57e9881d22
SHA1

ebad9c63e3f9d78f5c80ccaf40154be480a1071f
SHA256

4b7b31141800c43ed67acd6b0c9c9a1845618ca51413db51d355fd9b53f3302e
SHA512

7c95f707b1e3dcb82d793a83c715c1f33c044df81d2d89756a85a631fddd75402f6478c1198c855e44b6d5d51061fff9c11d3c9470b065714b22a1da122b30db

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe
Token: SeShutdownPrivilege	2396	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3064	2396	chrome.exe	28
PID 2396 wrote to memory of 3064	2396	chrome.exe	28
PID 2396 wrote to memory of 3064	2396	chrome.exe	28
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 2924	2396	chrome.exe	30
PID 2396 wrote to memory of 1224	2396	chrome.exe	31
PID 2396 wrote to memory of 1224	2396	chrome.exe	31
PID 2396 wrote to memory of 1224	2396	chrome.exe	31
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32
PID 2396 wrote to memory of 2928	2396	chrome.exe	32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\OutstandingInvoice38410.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6719758,0x7fef6719768,0x7fef6719778
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1004,i,8844801525507999324,6023024948435866752,131072 /prefetch:2
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1004,i,8844801525507999324,6023024948435866752,131072 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1004,i,8844801525507999324,6023024948435866752,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2032 --field-trial-handle=1004,i,8844801525507999324,6023024948435866752,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1004,i,8844801525507999324,6023024948435866752,131072 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1004,i,8844801525507999324,6023024948435866752,131072 /prefetch:2
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1004,i,8844801525507999324,6023024948435866752,131072 /prefetch:8
  2⤵
  PID:1784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6f2398.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9a4b87ec89a9639724c00e41286a7e61

SHA1
b55132f3a654ce1a6963254811dcfa6bfec1ec10

SHA256
7d2de6d7f786da6f5566660d76e143fe283fd9fcae0bdb3199042ccea12628fa

SHA512
467e7a55dae8ba31804a7fdd3e2a620b6a9885963a5554db046241a3f0db975ac30666f3a62f70c55f7290e23ff8ed9b1a9196006db0a28bcb21c49000cc42a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
669def32398a543052ae57fbbdf2223e

SHA1
1d46f953d55b600d5752af3f067b198ec946bd7b

SHA256
1635baf87d492c00826c36ed2ae59a2caa6a927d028dad92f14b7b1e06384589

SHA512
4ed02dc1a43d7fbc4614d63ee87e34ba9745ea30bcf4110a3cdd80f756347581cb5283a5b3cd325287d3f7ffbd469ff1e65b13ed6e39bc7bb172eac4eeab19b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f2b11f20-b822-4646-9bb1-15d73b8da6b1.tmp

Filesize
4KB

MD5
d5c9cfdd0cf82a918b6167830cd180c1

SHA1
e40f0237ee6e9e45e69f16ae9dfaa482d0e3ea7e

SHA256
3ad6f5b1e36b59d1f218b5664985a9def4733749ea5d171a8e844bed19947a73

SHA512
3e4376edb857742c0f543e323423b21a365703bd11f401123067b0202e65ea949a2d1fa792dc54fab80b21190b329580b81c5960f8b549fd4ac4bd489f1d13d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F97.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6FC9.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit