hxxps://www[.]dropbox[.]com/s/dl/2lp810ujkbrwovn/ThunderBird[.]rar

Analysis

max time kernel
1800s
max time network
1690s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/dl/2lp810ujkbrwovn/ThunderBird.rar

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133338386655329002"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
776	chrome.exe
776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 2212	3424	chrome.exe	84
PID 3424 wrote to memory of 2212	3424	chrome.exe	84
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 708	3424	chrome.exe	87
PID 3424 wrote to memory of 4084	3424	chrome.exe	88
PID 3424 wrote to memory of 4084	3424	chrome.exe	88
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89
PID 3424 wrote to memory of 3856	3424	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/s/dl/2lp810ujkbrwovn/ThunderBird.rar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcffec9758,0x7ffcffec9768,0x7ffcffec9778
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:2
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2384 --field-trial-handle=1872,i,12806669805245023754,286348383637405689,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
208dfcf29256562ec52b371444dc96cd

SHA1
87e00f5efd7770e88be0c7656caf88dcb43c4b02

SHA256
f7d1a511032ea8d617930b94ceb7926e80d595ad11d1b033e15b37324adc8057

SHA512
a2e3eb5d6e55df16e2b37e713a6ee21526ce15b0ba852cda21c677002981b79bc4f341b70ed5fc5da92c6337c784687da5767107e34e28c6ce3c37fe57af488b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fe8ad7a3325e0b2e1c124d2a9b5c1028

SHA1
e5660551f7aab71e2e18c476dfe6e4fe6447ef69

SHA256
ea854564cd4edd8269c640cc860a930cadfa23725f4ea5b2cb2227fdbd979029

SHA512
e102d25c91580d01306ab6f621bb12e119efb84a97ab55bcc3addecdd177452d759abf7349002c00099b8a4d82ad308ec37e145e14c62bf2de20fd75b4757b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
7840728407939ef454867c6c2b53016c

SHA1
6988436041262879debdc274f4494edee0e484ce

SHA256
dfe95cdab38ef554be5a77039ce0ed6fdf9319b41aa6e6ae04613c7186f465c6

SHA512
158e0a72698d453c10d18ff522da06f468a65178fdc30903fe7fb19028febad1466b876b45179a6f5cd5ba3cac9a5ffd91c53e0cdafc4850903805bb30887c7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6700ffdcd6d724d4d5c9bdfabed04bdf

SHA1
449e28c1b4275bfd2f943f7c91f3aa15966b6728

SHA256
336147e49dc518021d3488e18690bbdd0001f42f423aaa4fc7311696ec7f74e2

SHA512
875fb9c4ab0b142ed2be27fd529fab1494ccf7c636d4821d193242ff2983a2a4d0b3208b717c1958281e7cdeeee861fa3e50d23f7a40a1d1c80dfaf848d3c102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ba5b2f369ab8082a26ec208cbe632141

SHA1
656d69a0ab6f7e18c3983516a41cfd6671a08d8a

SHA256
c235bb8aa086fb0b36803d1ddbe0b23cf37c5c4df927bcc553efdd5f5a1abc97

SHA512
fa1c392b6c86ec07c08b8fba355d0fd043bb683344c7a92815fd3f7144275d69988855442576f71202287648a0624fc9d151b61d42b17efb245c1a7c60234a72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fad1e82fb9cb118565db867574a80955

SHA1
b44245f325f776f4bb16e2e3810fce33623d08fb

SHA256
10d559000dc554467d444a55644635d504baf6207d4b063ca21d4ccdc5f9b2c1

SHA512
ad4695bc90e7069cafe0a25712b7c63a8e7c6207c67215480de6eea118d6b2943542b7f561980a9093538002e9cfe3636f93975595e2e730bfa6efebfd0f7cf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
7e74274a1a42df54c0d6a5c7aecaf066

SHA1
22fda210c637a2fd1ee846f69040551b90fef763

SHA256
d93a98f3208579dcd86c53539523cf5ff30ec9864d656fafec878fbf750f1b7e

SHA512
bcbec3ddafa2d0586947accba6aa2a2481b389df4d342b72d78db0fc4927e584ef4976cf9d7df911f474584a82d990d1b9563969600c0ce2fc4512e11029fb6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\ThunderBird.rar.crdownload

Filesize
16.0MB

MD5
4b4f0de594a228dc3af6daf1cefbe34e

SHA1
1668a457a86ef4cb5d6893f401ca94d0914ea522

SHA256
8edb7700c5546aa3eab8234a6015d719ba912d198dd70335fbc5cb1e58ac814b

SHA512
355bb9f4fe044aed94d1ebdcbf230a7d5823d673a477054d2086e66e3a76ffe6dbd858eb5b82d99a1a998bdcf2946f24e67ad64757fb05926e484517e6295664

Download Submit