862a1531be831680c2d17fb1a87f21d954b7acf60ffffb75e9adc5c2c73efa65

Resubmissions

30-10-2023 20:33

231030-zb7plsfa8v 1

30-10-2023 20:19

231030-y33pasfa3z 7

Analysis

max time kernel
1801s
max time network
1692s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2023 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cooperate ORDER 1.html
Size

2.0MB
MD5

2c0881e415e213b242650cc5570a72b5
SHA1

6b72cde0684974e0e2d695a404e4add77a707638
SHA256

16b3821e9a0c291c21a29b3692409f5638ce2e655544746c74be8bc8d60ed63a
SHA512

113fb5dcb839b8494dfef86c38b370774e831a7deafc41323b1353016ffe35f89910d855ccb8c229356123ab8a892be91a7f402a08b54885dc07b1d289a15907
SSDEEP

24576:ejVX3LHQFXskXbKtr8RmNKo/IsQyZRWQ6zPMlAmrJhHdLptQN5KZ7Hj16EsvqJ2M:3XsJtIRME0kPoL545qhsr+2i/Jves

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133431707876902022"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4264	4368	chrome.exe	58
PID 4368 wrote to memory of 4264	4368	chrome.exe	58
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	89
PID 4368 wrote to memory of 4180	4368	chrome.exe	90
PID 4368 wrote to memory of 4180	4368	chrome.exe	90
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91
PID 4368 wrote to memory of 4372	4368	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\Cooperate ORDER 1.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedcfa9758,0x7ffedcfa9768,0x7ffedcfa9778
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=948 --field-trial-handle=1832,i,8706407285901963407,13933345616061288088,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
90da2cba96e3ab9ece01cb03849ceb74

SHA1
ea26c55368606a04387b8dc447b92b29cb012dba

SHA256
d59348686ee82edc551ec7ced0ee63492f9d7c68a867c03b9f020e6c025be400

SHA512
363a42b92e3525e95806acca72006fb64b62eae2c61d113cc24508f095f0f9096eb2c2ccc0f00e4916de146dbe8689a66967e9827c053fd94908b3ed4207de56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7d4bd2ee090a5fe358847d2ec71cf77c

SHA1
4218d8d68f16298626e8577492d5aae19ba4fcde

SHA256
c857a73216978516fb85100e710b19fb9ce60ea358890ceb270aedc84fc4dd94

SHA512
a5a14d49f00abe33d8be8de997a49856745dfbc86b281fe73952ff59b01d9dd4b0a2450f4cc9b38544e1a8378e0028284d4263f52215ebd9c92782b07794f597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8ecc5103f2cc3f2acf140f095bd34659

SHA1
32227a0c90579585ebd486b8193b4edb73685ecd

SHA256
48a0c868e8cd1a5e81ac95079be2abad176e865272edb2f9433845b6400d9d28

SHA512
a7fea32f4e6fb29df3d4db4c9f2c1711b90b370735c61401c469e568218471f19440bf664e068886df755106f97d29545d9c04112127a29785b5fd71f1721b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
159dfa4518fa5a2798c975de6718b327

SHA1
ec1b47649774f42ca83d7968ff843af98dafec4d

SHA256
cecd5c82495de35a1060168af02b89072e10ca2db048372086c8e8c97c1106e5

SHA512
cb1f4cf045375f00357c53def775d527a6b69f8639d7293f9c1561277b0d88e46cb3c328465d796940b836d579229848fa28c193d9979af9e8a4dc26413145a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit