5b15b82f02761d800726ed3b124ed1e3125d8b64059b76e4bb3c939a5edfec49

Analysis

max time kernel
150s
max time network
142s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
19/11/2023, 00:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

unnamed (3).webp
Size

602KB
MD5

1bad218df2dc41f5d3b9fa8085d93bac
SHA1

367a44ff1bf71e6eaa79e23cacc41845ea989cf7
SHA256

5b15b82f02761d800726ed3b124ed1e3125d8b64059b76e4bb3c939a5edfec49
SHA512

62df6494e3d61ac2bdd74332f9610ed7bee41054950e563185481dcd68c206ee64f6840f2d5d54d2a3dcf896a7a588adcf10e9d0974c5c73446006d7272c4ffd
SSDEEP

12288:R79B8k8TCRh7FK/j481hT0RCD23ncZSsBaXGMTlULB607L:R7vhsCjA/B1hIRIecZOziLt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133448262940764718"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1072	chrome.exe
1072	chrome.exe
3196	chrome.exe
3196	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1072	chrome.exe
1072	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe
Token: SeShutdownPrivilege	1072	chrome.exe
Token: SeCreatePagefilePrivilege	1072	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe
1072	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1072	2980	cmd.exe	73
PID 2980 wrote to memory of 1072	2980	cmd.exe	73
PID 1072 wrote to memory of 4668	1072	chrome.exe	75
PID 1072 wrote to memory of 4668	1072	chrome.exe	75
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 5092	1072	chrome.exe	79
PID 1072 wrote to memory of 3984	1072	chrome.exe	77
PID 1072 wrote to memory of 3984	1072	chrome.exe	77
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78
PID 1072 wrote to memory of 4384	1072	chrome.exe	78

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\unnamed (3).webp"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\unnamed (3).webp
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8a6f49758,0x7ff8a6f49768,0x7ff8a6f49778
    3⤵
    PID:4668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:8
    3⤵
    PID:3984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:8
    3⤵
    PID:4384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:2
    3⤵
    PID:5092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:1
    3⤵
    PID:64
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:8
    3⤵
    PID:2648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1852,i,8938174361683384149,12144305352391895047,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7edfb84e10cb25e9918718ca50ed7210

SHA1
8a0f0cd6c56317eec4eadb0b7ef9c970df564400

SHA256
056aeff32f08f9aa87aa72d762ad5bcca811a2890225b2b82766e5098d733c88

SHA512
6b8b39e89da15f488763a86d7f20350c4e73733743aae6774d3b2d66d4a5c7aabcf3a03298832fc489dfe01d4b9c1160995527786198782ce6167f8c0c773d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bdde40408be5b9380294c4fd11cbc289

SHA1
60a348b0bdc863fe0c76ae66dd3e6ae7dcc7a5dc

SHA256
31651af0ed3a75058c63bdfa11d09a50c2b7f16a1ae5106a5a5d02556a479daa

SHA512
a0e7dba496c01cf8ad823fb17574143f57517335260b5940d02b27953d56c0cad5371f5cdd06af29998ba309abc29e9ae0e57564a5186cb681bf331d5c10a5b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
16db9be1e7f6254d592205f7725c3782

SHA1
b093c38e742b68eeabe7dd66fcdb0beee7e8e7d9

SHA256
8620f0368c08da1f90f38990ea8c473f3430c34f977600c7965da23c55660a74

SHA512
ee11ff23e90ca806b6a928ed336bc0348cec458a09071ac0311c866c947b904ab42e64c8b9633036b7c6ee24cae3761fcc8bb6af1ea19ef99568627caa03a21c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
217KB

MD5
c0fe792ac9d6787fbb1f936520e8a078

SHA1
1c909a5ea62b0e080789079c5724783376c14de5

SHA256
743e7824ac13ef19ec09181ac88f6c2b7267db79a46396a29fc202fab7218451

SHA512
8c402b62d668d47492f1416509696a58b01ca5da4a6f208b22bcfebeda73fa7bbde6da95bbdb823ef41730a33bad99269ea6fd13e84ef0c3e6c040b18a882405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit