hxxps://www[.]dropbox[.]com/scl/fi/y4ddl4zye0s3st5tttz4w/Access-File[.]paper?rlkey=fbz4raof9fgoe5vst4jcrc50d&dl=0

Analysis

max time kernel
390s
max time network
370s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/y4ddl4zye0s3st5tttz4w/Access-File.paper?rlkey=fbz4raof9fgoe5vst4jcrc50d&dl=0

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{080D95A4-D47A-4C32-9FE6-AF05205B587A}.catalogItem	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377287793992771"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeCreatePagefilePrivilege	2788	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4124	2788	chrome.exe	83
PID 2788 wrote to memory of 4124	2788	chrome.exe	83
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 940	2788	chrome.exe	86
PID 2788 wrote to memory of 384	2788	chrome.exe	87
PID 2788 wrote to memory of 384	2788	chrome.exe	87
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88
PID 2788 wrote to memory of 804	2788	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/y4ddl4zye0s3st5tttz4w/Access-File.paper?rlkey=fbz4raof9fgoe5vst4jcrc50d&dl=0
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffc13699758,0x7ffc13699768,0x7ffc13699778
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:2
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:8
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:8
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3324 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2788 --field-trial-handle=1856,i,1971729884780364550,16321720956686522796,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
22d4e974f8d8bb3b769deadd4031c4dd

SHA1
38e6680f7fa553fcd9882166713ec4c92bfb84e2

SHA256
68c9c71784ba06a5476d9e11b77340570b32606da75dc3c506b5114c95b258fe

SHA512
a2786dbf942af43f3dcab6d2d0309fd5fcd89104927f98739ad618a11e2b71fbd8f184b6745d99666d5f0c974773906dd189d264ba3c0bc3c194ec6b7c2f51fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
4e57147f04db0828fa49e96583b06ccb

SHA1
6aaebaed923d99a013e157df0a870bd45a3613c1

SHA256
065a1c4751c4139c89205975e520c864bfc0d337888171ff1bed67ff2bb71cf9

SHA512
81376a62cb8f0ec41e7f55faa0b99b2453fa72da6490793f8d6b903edc725efb99fbca69c8d74411315030c333f5ad75ec224bc2e00513c4aed5610fbfd49f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
788b0df6531ef097398e14e5fcee3748

SHA1
b10da39b34285ba594cba249bec831fd93e55d30

SHA256
ea8646f457cfffd059c031475b323f60e4fbcb237d582cc3225fd50f77aae69c

SHA512
7bea8d705bfaeb71202fd4eae8a2229de967ca022fe9697a2da9245b25c39569be2f6fffd1252ff85bd7fb62f36842fdc489c9450a06a6d6cf5d85a70c2e91fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0bba01cc92f62b14e72d19cec8dfc646

SHA1
b796e442b715146a937c1a373dbbf3f0f1ea66ad

SHA256
2fb3a9b20e11122a618cb86868ed8dbb61ad485f961c45dbf21a0fc4fa223abe

SHA512
598af12cacf0f7786e66948a65634ba64508402f2d3225ca49738e5ac7369b4053160eaee63d1df618a50640dd6ff6492fe2ecced0727db02082ebc4d4ceeb12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ca65d957ff94950399e0675fb05b2fca

SHA1
0a8c2fae65ae3629f5ae4331faddb9bf3445f61e

SHA256
03fc855ab7cdd2f92b29cac368ac378c60faea4ab2a18c30b084b01f7fa0750d

SHA512
522d679332ef1966b784a4c590168a8e2babebbcab1406f1cb453548d61cb4d105f2c45c9185dc44c132fe89b63bf72744cad8c4505840374afd72489cec61c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
94KB

MD5
f89db2871ef80b782ce70d41a0bae760

SHA1
da9311734ed293a03930b6c8f2fdaaf4b00e26ed

SHA256
f4bc5002ed515118f42679dbb0d41f82d5743af01729206dcb7be88930ac2a5c

SHA512
e54eb3f3460a51e4afa69f2bb723cfa6342a5eb376c1a8ef618eb25a14c5366ae48fbd99491331111e3cbc04e2987d31dd02e97c59727a7495b6d7d7015fc2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit