hxxps://script[.]google[.]com/macros/s/AKfycbyiamvU9VsBY2ktQnGJLLsJs7GE_FK33yUHLnVLRaBLPrSqMiXxbjXczBjrxbrXveA4SA/exec

Analysis

max time kernel
36s
max time network
38s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
28/11/2023, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://script.google.com/macros/s/AKfycbyiamvU9VsBY2ktQnGJLLsJs7GE_FK33yUHLnVLRaBLPrSqMiXxbjXczBjrxbrXveA4SA/exec

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133456167655314623"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 4224	2100	chrome.exe	41
PID 2100 wrote to memory of 4224	2100	chrome.exe	41
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 4032	2100	chrome.exe	72
PID 2100 wrote to memory of 1412	2100	chrome.exe	73
PID 2100 wrote to memory of 1412	2100	chrome.exe	73
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74
PID 2100 wrote to memory of 4840	2100	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://script.google.com/macros/s/AKfycbyiamvU9VsBY2ktQnGJLLsJs7GE_FK33yUHLnVLRaBLPrSqMiXxbjXczBjrxbrXveA4SA/exec
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbbf5d9758,0x7ffbbf5d9768,0x7ffbbf5d9778
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=296 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:2
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4440 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5124 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4260 --field-trial-handle=1752,i,5600162790712198278,495234721846874590,131072 /prefetch:8
  2⤵
  PID:4016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x29c
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7fcf9dccd6e86d8a0d81cc6376819f05

SHA1
5adf2a2d1ec31761836693b2f716319ca9ce2d6f

SHA256
6d290fc0ff97dc445de313d332b9866a1d75b5d1913a59b64122bca2b0b1fa97

SHA512
afd02a9b345633d27e763bac5a82c1d7529c4cc08d8a711bdfd296f93285784de4766aa1cbab04863a64e450a8388934f6c72e80d856b2c1ebecc19780184d24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
535B

MD5
38a93fd904e8af5d5fc1d118e6f8e757

SHA1
b5d01c1166ebda714bc298ee444eaefab25c0076

SHA256
03821824204b90a1b9500dd7ada27ddc1c2a839c15fcc8343a882ccb21cbc590

SHA512
9ac6659ce83bb22ea7cde36bc9b21deb02edf8675bd654c70ac07c4b23c692912d6c09c2c6c9e13128b8a3f3a8f643a69b8e402ce0736db8a9fc53d1ad87ff50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5297138cd9a4175ce2497dbab380c759

SHA1
219a86e7307dd39596d63db4753bb4f2aaad1cbd

SHA256
328cb1eaa4ffd323c5d29a2018c0c26dec59370c7d1df965a348dd824384db0a

SHA512
d5d911bf83681ef80a8ede2aaaf104b77915be92c66060acbef02604188a63e5d1de9ee56f7311994edef04a6044c7ab01dda5233b0279753e7c8a80ff511847

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2bb3ac8418a8dcadd83d31efb7d17ffe

SHA1
0ed029738b6b28d9dfa7ae5b3096977dc7962a16

SHA256
417b17b78e738c016e34d7147a88dea3e7c156fd1de2ee0339821dbfacf846c2

SHA512
7e5c6c2d0a73dfc368811525b4fb50f58ad8bd30850741cbad8896994f50fdf2e96375aa177e6a66bdaa85ff96cd7eb5e042f99c51d403e1f161f70df6da62c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
15d916573f3d87e5214411c11deb675a

SHA1
b1a2a175e794f962c95c875f9759a268c9d429a9

SHA256
ac83965786806c7e62b80394bc2cfe96be4b5d9a90a458483833e47a0612ab47

SHA512
cc8efc57b44e09d8d8335414d7ab5eccb68288394c9d50f641138ac8943b8f9de6750abfc21db2e6acea446d3367d431bd5e316f1c2f88dc9a6180f5a0e12494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
c1a499ac6d8bb7f5b20a121919449792

SHA1
e6824911a69c6036b4dd95cfc0398642bbf39766

SHA256
46ddeb66f4857998220a612c93f70cb925ef4396262d8d1196f746a9b0dcccbc

SHA512
acdd5f72a24342c6dadd3aa6756e22abcd1718252f993e4fe079055b7926666aac2c61cea274fc0c9b902ca973d32990c7ca3e61f5de2d0889dd104d564e8455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
7f129d1763918daa47dd2417de3f1a04

SHA1
f139029c28912e2ea0b1a88744dd7f21b932bc9a

SHA256
a63e9d824613fdf5da887025679eb99ec96d6fb122fd44b13ead097d80d721e9

SHA512
ad0054adece27947af54a52bcfb8b9d66ca6a2a5103e17e5423df8021620259c129ba8c200f179bf52b281c1f3a4b1d033c750994ff8a06a424c361626214261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit