hxxps://files-ld[.]s3[.]us-east-2[.]amazonaws[.]com/ORDER_SHEET_SPEC[.]zip

Analysis

max time kernel
1799s
max time network
1689s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files-ld.s3.us-east-2.amazonaws.com/ORDER_SHEET_SPEC.zip

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133449473735822854"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeCreatePagefilePrivilege	1652	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2020	1652	chrome.exe	85
PID 1652 wrote to memory of 2020	1652	chrome.exe	85
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 1072	1652	chrome.exe	88
PID 1652 wrote to memory of 4276	1652	chrome.exe	89
PID 1652 wrote to memory of 4276	1652	chrome.exe	89
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90
PID 1652 wrote to memory of 4800	1652	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files-ld.s3.us-east-2.amazonaws.com/ORDER_SHEET_SPEC.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8b389758,0x7ffd8b389768,0x7ffd8b389778
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:2
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3248 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 --field-trial-handle=1876,i,16761272757009540793,12570973835498959102,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
47a1a63a50242134b69cac1d547fa1de

SHA1
c3ddef60c66d84e3c8a8d8110c7e8735874c2039

SHA256
f3467da91b3ff91bed9bd9f852d8abe25609b728d56dacd7a019f284d3b82fca

SHA512
fb07d86c7a0946d9c7c503b14dd8564b1fc98ddebe7cb5f017cd4d830441dfa6073eeacea7582b6fed8a39053f84967e1698ec303d37d18124a6740ba9e3dd5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e0f9edba0122ca6cc5c12d199388b0da

SHA1
27289725cd210dc0b6923d987bc9883d32c06c7e

SHA256
9acb64af22cf68d55ff77adb159d8ff3800bce6566d330bbfdb963b1d19d54b6

SHA512
00cc8ef1a8f389fa97afbe3aa0da2fcb79a546e9d8d48b798b8ad02cf7ca9e461de92a5e5f892a0ea500aa8dfb491352335f6f77c9fb233f5522367467a03e46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f1f6d20766024edcad16f769cc0270d1

SHA1
75bb581d0c315b1769753c8e4a38271543fbb1ad

SHA256
e9d14c10965905e6d40b1fdaf0b3f7e0c2e4db42682fe8a2a341d00ea9f17221

SHA512
f23fc4b3cc1976aef594257f04e262bc3eb606e9cef5097285fe92225510d09df3e5eb5c2fc436a02d37051c32506037d7ce4627717530e26f53403f95b33a78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
865432139ae383b31a2b6dc8d06e44e5

SHA1
20c335b06d37c8a1fd8ae4c4b10f715817c68eb4

SHA256
371eb2a21d7c2d77ef988989352ea943980098403a9f9d176f59aaa6987ffd1c

SHA512
d6653d9d3d6226a267abad4c943e1da0ff8171092dec326194faf1b15e761718f65ee4e37e5bc92e668decf9b1cd1917bdee15a30a934f24fef02a660d81c700

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\ORDER_SHEET_SPEC.zip.crdownload

Filesize
67KB

MD5
93bf58d227852a25c0ad12750ebfea86

SHA1
bfab6abb9c7444ff31dbbcba92fee92daaaa5679

SHA256
22e8e4fb8b26ad737393013f09fdd97aad5e7d69cb7d6a7154ca3c476b920e7c

SHA512
6cc39c534ad5f1802a1a59b7767cb7d14139b70c93da6333374bb5a302e13ce8062c0065db2688b0234059b6dda89a78be045e78d2d59fc0aa97fa6484626525

Download Submit