hxxps://www[.]icloud[.]com/iclouddrive/0e72zCb8P7WeUa3H-lKiuOiCA#stgelectricservices%5F49493

Analysis

max time kernel
19s
max time network
61s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.icloud.com/iclouddrive/0e72zCb8P7WeUa3H-lKiuOiCA#stgelectricservices%5F49493

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe
Token: SeShutdownPrivilege	1684	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 320	1684	chrome.exe	28
PID 1684 wrote to memory of 320	1684	chrome.exe	28
PID 1684 wrote to memory of 320	1684	chrome.exe	28
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 2872	1684	chrome.exe	30
PID 1684 wrote to memory of 1632	1684	chrome.exe	31
PID 1684 wrote to memory of 1632	1684	chrome.exe	31
PID 1684 wrote to memory of 1632	1684	chrome.exe	31
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32
PID 1684 wrote to memory of 2256	1684	chrome.exe	32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.icloud.com/iclouddrive/0e72zCb8P7WeUa3H-lKiuOiCA#stgelectricservices%5F49493
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef63b9758,0x7fef63b9768,0x7fef63b9778
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:2
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2196 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1472 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:2
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3576 --field-trial-handle=1180,i,18224853907635996060,12048301007858178996,131072 /prefetch:1
  2⤵
  PID:1200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5121eaaa0acc0a87b42128fcad7271e9

SHA1
4d3eacad3ade74875026c473912c604e818cb35f

SHA256
47bfb98bb094eab2111c97871c00c53e20865231c75274f925167a86085a93d5

SHA512
1b3b9ee1f25581717b66b1d6a10f8b89d3dde65c63215f8209ccccaca863adbed56ef9ae9801b042023b18de45c16027437c64f9330c7bfb0f861235e32edd0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54df653cf50b40d1d5f1d738b3fc055d

SHA1
89e61bad5d669015a99cc40216500dc5d262de53

SHA256
2c75df86dab9a3167dbe7b184b223b847548949b60c3297538b78828feceb55c

SHA512
4a8f35d4e8c202f7cb19f4ae6f21d414fb499ed4f62db148f079b92d96daa0a3da09b65c3bfe99b6dbc8ef070d14ac861f293a46d3a164de07fc7f181b4ac098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb9fdb672eedb19c8ed1d4cc773909b4

SHA1
6932fc05bfed401c0ab2c420168587c49924d074

SHA256
9687c53c6ddbb6a58a2e6dc66433c4c1382c7a8ea36e71a3098b41bfa8547586

SHA512
ebde7a3b65bba3f31bc090a47e4e17a3fadf58975dbffcccc24e0b42206619a102b5e3d7bd128227e3f183b0721b3b04ae9627150e1f5bc0a4ae6433d66260c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
026a0235486ed85d0101e64be0692ab9

SHA1
6fb9665fc4537f39ad13417730693ab5fefd118b

SHA256
90f25a1c0fd0eaf30da1baf6a29dfd747b9545e84d8c2315b90acd1801cd4031

SHA512
940f1af462a8c67d1d1694c897039089fabc388da7690f6346afbbb5b5bd9e7a7b42e55a8e241b9f0acb29d9aa7652b968f8b5f4766346628e23451f10d6ae1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
117115397380b3852cd4d4a6b8324872

SHA1
a2d22ef4ee4bd197d8f6801f119cee0c0ff827fd

SHA256
a05d88f37dc7490898304226a581465b03d2157b18e9c53166429c63f787c811

SHA512
86c3b28f6ba6f056a28d7b890d48b6ac50aaf74ed9abaa25d37767e8db6496883d1ccbf478d7c2d86b995337ea6271778e1f3812b8050b84056d356222c209e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dae15e92d4f217f722d6143013e3491c

SHA1
16fb6ee748832a98ac6d6d8869910e0086d0ad8f

SHA256
efa4264aabbdccdeb3716731c252714db2d9ab4c1b9908fb4bd7c29261fe82e8

SHA512
4f9de471a2c68e8294839007cfcec795a233b45e8eac50c648aa6d7da0476392634a343e4b0c59490840b64bf991494ad94b4ea6a5e0beb15f15792a30fc2caa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
223bedc4aeb52754cf608826056055fe

SHA1
fc0d2359d5d71cbd105a15d80314b34672e30e14

SHA256
48e30b53f83b6dfa8f692e23a5a496607c15f2c7b48e10608b0a0181aecc366c

SHA512
da935e5e33b60565621a2566b14b3e2273518c52453e3d362f5c8e46627b7a05e429c1f08ec567954d6555f9d0949b494568c6feb37aae3af24d72a7da07e4bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
980f44e4f2398f5326bfb8f0ea1d8752

SHA1
2e849ae397aa41e5ecfa55b736d71b3d5e9993ab

SHA256
09130e95f248750b572b6af2ff178b35a84dbe84153f7de6841a878369339b12

SHA512
1183de3361e9ecfebb5ca4cfa3e2ff3b6f8901a2102d4a9c290b7a139134d0ae50c1371f73306a2093ab691d6996bd1ffd1434a0f86c1b2f830048bbae769a5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
08682be7dfc1a4016ac3597d9bdc841f

SHA1
a8682108245e552cceff3ce2ac8c8a3e2246701a

SHA256
1e344ad515e01608ad9538507acb30642f4a444b0f638693476f86795458d193

SHA512
52c59f267aa5c97575326c328a126361a32c9a8df9c7cee8db53678221123756d044eb30400709f78e986c5ec2602a96f2cb82e2795c976dcd6672d67dc2c277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab364E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3661.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit