hxxp://drive[.]google[.]com/a/teamcomputers[.]com/uc?id=1AS27uboFhCbvLoIETW5xX1vKc0f_JCYJ&export=download

Analysis

max time kernel
300s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://drive.google.com/a/teamcomputers.com/uc?id=1AS27uboFhCbvLoIETW5xX1vKc0f_JCYJ&export=download

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133373395768281479"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe
Token: SeShutdownPrivilege	2520	chrome.exe
Token: SeCreatePagefilePrivilege	2520	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 452	2520	chrome.exe	82
PID 2520 wrote to memory of 452	2520	chrome.exe	82
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 436	2520	chrome.exe	84
PID 2520 wrote to memory of 3748	2520	chrome.exe	85
PID 2520 wrote to memory of 3748	2520	chrome.exe	85
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86
PID 2520 wrote to memory of 4256	2520	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://drive.google.com/a/teamcomputers.com/uc?id=1AS27uboFhCbvLoIETW5xX1vKc0f_JCYJ&export=download
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1b799758,0x7ffb1b799768,0x7ffb1b799778
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:2
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1244 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4680 --field-trial-handle=1852,i,1334312440267950835,10715069232161148022,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
130c9ef5f8ec98f80e33c9f75f794d0d

SHA1
c8dd2781340b8c3f9ce56166eb38fa6068f37fb1

SHA256
b15806ebe55f1e2d29cae9b8f8b427b9d71260525505bf5ed6abf9c0d79ad320

SHA512
42e2a014c4ba4d66bdcac6963acf11231e460f98d8c31df79182390b73a512bc173096758d99eb99a48971f437828d7fd1ff7974b75faf7783f5ca5a864504e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
968fdff9c3940470fd51b7be6d6b3d99

SHA1
747a690638e79724e336d9f4a55c2b55e4d44fc9

SHA256
3e7ddaa85963bb37da2e7d385f51e0e74ded4278e6177575c66eda3e0207395c

SHA512
af93d7ac2406af1d0b6c6992e0ca7314a62aa839d6ebcccfa2eb9f43bb2c4139d89b0be9e44d0c61b2e5550eb41d1814a8fae58afe25212c70d00885f5a89232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aaf6a1bf7a3b80a8d2d4bdeeaa142869

SHA1
e877ec45c2c6879f317bb800242a3ffe764176b9

SHA256
f8720d808ecf0dac8612d668982c6fb89c809382d0e95d8fc79af82c66159b76

SHA512
88b76b8f6c119587067320c1596c2f189af18067b490eb6008e13f84fac6ff88e460c3c351196f2e79fd4cfb81fbd9a2e64b8c76fed55663c9c2caee72aacc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
093f2977e6d756159445b29fe4bf8e5f

SHA1
955d2d80bb65c7eb2f2a59bae1f873b1866654a6

SHA256
bd6e28bfa7860171ac2f196cd5ea9fca2a793c80e2c4d81c53d5cd3cecae9121

SHA512
95b978eba0775bb90c89af55b501e52caefff111cc2565217d531c594cc785e26b903e393a03a49efc35bc397c2c159de36b3c9a9f77d77d47071fb22df83fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b964f792902661570d67b9a33d0dc6ac

SHA1
252c47ee70885ff4480f07e18df1dd5701eefe59

SHA256
20955af602bbacdce1d42cdaeb7d3b1eb2c0335fe1c266949f250f8a3262b2b6

SHA512
1fa9e69717e6ae5ca294883167533fce30a78f730d2d02978b7e267d2bec51bf9beb8f1a89d72138f6ec575d541b618450aa08a723eb1a35ea480cd4d84c31ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d80f39766985757f53f810774a117ef8

SHA1
0ecb26da2e838582fccc21c904057b4036b2b07a

SHA256
047a1ff8ae6b6558e92da3f87ff30dc7636ae0daf8a30dd1924d345559d7f216

SHA512
7aaa86a6391b7a920751a1b90e2960c3ed9ea4b32176d6258bcf22add14edf445d940d974722f6c1d863f88e136d7ad4a99bf3d3aa5094ee87dc524600394b0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d26a062523960edc25ec8f681589eb6b

SHA1
3e2301f6839032d1a6d01843a92a5519b3c7b87c

SHA256
7aac1eba077f80d1ddfbf633f0343044f94fda80506cb06baa1215180c0f3a4d

SHA512
fdd10d869060381adf0eb0cb2b76f8727c236cc9b69cf8d2009adc814b6eb725b73b3f7dc4885e5370159d282e9bc410af01fd9efe17c736ff6c89a17a167f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
40f0f39c13d458a47873e22f929463b8

SHA1
03c80e7babe7e2479ea6506b84cf72c9826db8ba

SHA256
bfc2ab2399c184acc876bfb3fe40bda56bdf3684240fb98cd0a25d95be85a471

SHA512
5db0fdea9294c3d7a29bf4b6add80f03a8b5e39ab303a00fee2a8935a762bcb4d6091c89f2626a6fb7629851617f1055bd8dd689fa049965544501a933c75ab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit