hxxps://google[.]com

Resubmissions

22-10-2023 15:51

231022-takkssae3x 1

21-10-2023 14:02

231021-rcar9sfa4s 4

21-10-2023 12:50

231021-p3e4kaeg2z 1

19-10-2023 12:13

231019-pdqtrshc44 8

Analysis

max time kernel
188s
max time network
262s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
21-10-2023 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://google.com

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 3164	3692	chrome.exe	46
PID 3692 wrote to memory of 3164	3692	chrome.exe	46
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4792	3692	chrome.exe	75
PID 3692 wrote to memory of 4872	3692	chrome.exe	73
PID 3692 wrote to memory of 4872	3692	chrome.exe	73
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74
PID 3692 wrote to memory of 3652	3692	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffad61a9758,0x7ffad61a9768,0x7ffad61a9778
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1864,i,264730332351332258,3983454730560458948,131072 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 --field-trial-handle=1864,i,264730332351332258,3983454730560458948,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1864,i,264730332351332258,3983454730560458948,131072 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1864,i,264730332351332258,3983454730560458948,131072 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1864,i,264730332351332258,3983454730560458948,131072 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4432 --field-trial-handle=1864,i,264730332351332258,3983454730560458948,131072 /prefetch:1
  2⤵
  PID:2532

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2652

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1432
- C:\Windows\system32\diskpart.exe
  diskpart
  2⤵
  PID:2432

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
fa0e69c0e5b290f79fe6fad07b321089

SHA1
4a6269b8e0cd993e33953cd9104681c2d583161d

SHA256
6e5d2fdf012e88b7850e8c2c39b0da0b1009d07a58ba62ca2e6bb01cd39c34b2

SHA512
49b8d15a07619990253ae43c2b7e7a62866f7cc5f23ba739776c03df3fba9105537c2a5bf84869c6d286d6fca87a42220d4702522767860daec6d97d1a622227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4c70c20e39a8b33ab815b603847e226b

SHA1
7a700b5e7482a9903c1d8ca8919ee85e3897dc10

SHA256
d7186e81b1b38d6b05c458196653e0dcb8ec0da520fcecc2d0e87158517b802d

SHA512
02f29ba5230fca306c394c8fbcf25d47e0de390e31bfa143e0525b9420bd8c9f3e7fce3648f9c4d4d9c8baa40d89c7fd5e59ccf82d1052fbbf0362f083867042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
3bdfe5d4b2e928ad961d223c0f662e66

SHA1
427231f49923a6b40cfe40790fad49e0186a92b1

SHA256
1cbcaf7099e671f6be3f105a6d8bb52cd9dd258b45cddedc3bbb6a9eba1b2a86

SHA512
81fc335ea46796e277e7496aff83963ce0d91e045a9f006e13298a9a582e2d49deb84ffdc2ee665a7b8453b68df37ef26064c03cafe8a71bb502acb27801faf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e9dc838442877c6e59d6049e58ec9410

SHA1
73a359ca284d9451e6a0d3660f0929c5491aa29b

SHA256
9ac573dfc5bc454e3bfaafd7cd96622653329351f93dce361544a7747da4e5e7

SHA512
54a507a05ce240a352e57ab39f97b51e4268aad1b889515a3e8c6c7d8791c1fe496c824c56f1378534493aef7ec368aec04e1e61f048199246faa88f80ee9dae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
106KB

MD5
4e22331a77757cfe3d8fc99f87d07fb3

SHA1
1a4c6d5cc7edb9e0d9ce598d4e88171cd77fcdbc

SHA256
4e333082a746d04856753eef5460be2508ec4a082fd57673994c4f3adb3db346

SHA512
b448df690ef4977bdf3abf0a5f5a0766c55a547f4dcc1d9a892b328851b9e6650580a9b42c168d1cac49aeacba85954ebefd69365185790aef474a58e7c07bea

Download Submit