hxxps://pixeldrain[.]com/api/file/cUEiDeMZ?download

Analysis

max time kernel
43s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/api/file/cUEiDeMZ?download

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133434663265635313"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4804	4452	chrome.exe	86
PID 4452 wrote to memory of 4804	4452	chrome.exe	86
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4952	4452	chrome.exe	88
PID 4452 wrote to memory of 4528	4452	chrome.exe	89
PID 4452 wrote to memory of 4528	4452	chrome.exe	89
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90
PID 4452 wrote to memory of 2800	4452	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pixeldrain.com/api/file/cUEiDeMZ?download
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd5479758,0x7ffcd5479768,0x7ffcd5479778
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:2
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5464 --field-trial-handle=1872,i,7460795574403834000,447082619360155118,131072 /prefetch:1
  2⤵
  PID:1884

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
2e35a82665167024b347b7e5e95b8745

SHA1
b24dc46d849d6e2829ca61200dd78e2c53847822

SHA256
a4d345fb48189d1169649141a15a81d94bfc3555b8d315a3833166cfa885aad9

SHA512
126dfbbeeaef9c9c4df1263c11b16b502579c27a2bc1cbc76583cb459c2a4c106f58f9efd5d551313e76e2857099281a53908eb94d2e1f4edd0feed39573f0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03331657ff9974e8ffcb463c98901d2d

SHA1
86f76eb8a2a432d6557e71d647ce9a737412f1d9

SHA256
851a8d8035b77c41ccd5995e173c4eae3773175bcbdcb628916ec56dc6f47abf

SHA512
0938fe4d4981af3216e7278d84e5c8105737e69679338dce96f4e16cb1ddd4bc86d1221acb01bdcea800e1e90a2c764e28326b40a3577be5df5b1b6f63b7de70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
243ccd0a61cf1a6df9dc89daa82964d8

SHA1
4bfab83050babc9feea20be91b9b194e2f0fe8b2

SHA256
5364920d692a306265d6455043765018228586ce68403c1f8cc5c9ea7923b766

SHA512
236a8941a55866ec8fc6a80b699936a1024832b62cc9efb213674db0f33d11c81968dc79420036283b618fcb5bc1b5bd8b8a3cb70dacb8df9f4cd1c8a499c48f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
d20b53702e79d6380b279f7d227f0f55

SHA1
2d4a2c239729d3cfa1c22a1ed0968303c7fc5324

SHA256
2ef406044aaadf32ac8e2d75e66ba69fbb8a3204ed1dbade8ca0d22fa29cff30

SHA512
3785b70be1f70ac2e310ef77bb0c39659a8bf94a9a1563200bc9dc40a5ff5a49876be9134c614ee32d354bf2dd0b30a3ac9d29bd285349439cc84bb73c218abc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
b04b7fd41bd44c09f6704c2da51cbd9a

SHA1
165d7f175d16ca6e612d4e5ad4de465049b67688

SHA256
37901982f17dea44ed2ed8f43166850c33f8394718d794e14a55fdef11924053

SHA512
de49ac32e88794d2527d17d51d49d5c3908e1c23f5a3e97f6125097bb85086607acacf8fb81970c26a3bd5ac07fa3156257980823f18ac408f8ae011c0ccde9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit