Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 05:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/sharing/boq/dynamicmail/star?ts=65a85fba&shareService=texmex&hl=en&id=1fp1J3BUNTKQXg0GFIzFGpLV6olWTQ8jT&dynamicEmailToken=AT-EgO2pRQXGKB_98YwYK2AGrDcN6hF71WLccxemqMVxjMcM5UXd611YVH84SJn0fdfgSytkRPxS7N5ZKitkU6-VBd2h4kOCUu2UWdCzL5b8tVNXXTASZE_Rnq6De80%3D&resourcekey&buildLabel=drive.explorer_20240109.09_p0
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
https://drive.google.com/sharing/boq/dynamicmail/star?ts=65a85fba&shareService=texmex&hl=en&id=1fp1J3BUNTKQXg0GFIzFGpLV6olWTQ8jT&dynamicEmailToken=AT-EgO2pRQXGKB_98YwYK2AGrDcN6hF71WLccxemqMVxjMcM5UXd611YVH84SJn0fdfgSytkRPxS7N5ZKitkU6-VBd2h4kOCUu2UWdCzL5b8tVNXXTASZE_Rnq6De80%3D&resourcekey&buildLabel=drive.explorer_20240109.09_p0
Resource
win10v2004-20231215-en
General
-
Target
https://drive.google.com/sharing/boq/dynamicmail/star?ts=65a85fba&shareService=texmex&hl=en&id=1fp1J3BUNTKQXg0GFIzFGpLV6olWTQ8jT&dynamicEmailToken=AT-EgO2pRQXGKB_98YwYK2AGrDcN6hF71WLccxemqMVxjMcM5UXd611YVH84SJn0fdfgSytkRPxS7N5ZKitkU6-VBd2h4kOCUu2UWdCzL5b8tVNXXTASZE_Rnq6De80%3D&resourcekey&buildLabel=drive.explorer_20240109.09_p0
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133501150686392598" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1888 chrome.exe 1888 chrome.exe 5048 chrome.exe 5048 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe Token: SeShutdownPrivilege 1888 chrome.exe Token: SeCreatePagefilePrivilege 1888 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe 1888 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 568 1888 chrome.exe 42 PID 1888 wrote to memory of 568 1888 chrome.exe 42 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3268 1888 chrome.exe 90 PID 1888 wrote to memory of 3288 1888 chrome.exe 91 PID 1888 wrote to memory of 3288 1888 chrome.exe 91 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94 PID 1888 wrote to memory of 2244 1888 chrome.exe 94
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/sharing/boq/dynamicmail/star?ts=65a85fba&shareService=texmex&hl=en&id=1fp1J3BUNTKQXg0GFIzFGpLV6olWTQ8jT&dynamicEmailToken=AT-EgO2pRQXGKB_98YwYK2AGrDcN6hF71WLccxemqMVxjMcM5UXd611YVH84SJn0fdfgSytkRPxS7N5ZKitkU6-VBd2h4kOCUu2UWdCzL5b8tVNXXTASZE_Rnq6De80%3D&resourcekey&buildLabel=drive.explorer_20240109.09_p01⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeccb99758,0x7ffeccb99768,0x7ffeccb997782⤵PID:568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:22⤵PID:3268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:82⤵PID:3288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:12⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:12⤵PID:1732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:82⤵PID:2244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:12⤵PID:4976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:82⤵PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:82⤵PID:904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=916 --field-trial-handle=1832,i,754291908510604844,15337484390162131379,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD542da5242f9dff784c9c417ff94bc1a3d
SHA11eac9ed1ca46eb72fee1f45d4477088cd77e8ef5
SHA256d6eeac18bc23f2ba7164d29fd985ac5c2e4d2cf316ce33034ec9baa2a74344ad
SHA512eb5b0528a57c8972896fecc0e80f3c38512e8fb7f6b5ffb295100e5e94e44d3a09d0609c4b3c158aaa571e32aeb8b8edf5bbf2ec91c6ead8b31bb87e35c5c526
-
Filesize
6KB
MD509e1853155572d76c5e5d21eb8b48d02
SHA10fd76b3506ca634027bce89681437a6246541ee6
SHA256d87bc63d75f5035068207c500d11c94d6519362dfd152224c08d28dbfff225fe
SHA5123b94f110f3f771b3080f5ccc80d3b3150f66bcd020af929e38828872b2651573a68b29b83220453aa040623a62e3e1ca8a27ea7db68882c7b943f1a31df0af90
-
Filesize
6KB
MD5162a40974417dc928f1157f5242bf65a
SHA1d92e8ee11fa3c49326f0f09eb9bd65bacfa76199
SHA256abc2d06835998c531fca872139adf84519c20e7eabd8e667356388b214ee5797
SHA51245feaa61ab6b2e707814a6a697e7ef1b30a0a8d4e4198059ed9d12eca7cd908fb3140d64027125589bdd10b351058e0a6dfaff0e0b54bdae4b0e8e51575e970c
-
Filesize
6KB
MD530874921a187517975e1ce2f216846e7
SHA101a4acf822c8319dc5eb75da77c327ad9ac7d9d9
SHA2565687b55b5fe98b55e9b92b64a71fc395967d201d1fdf010f970d9c4c67449320
SHA512751973c05bcc31d9b842070008be2ba7839400655f19375268d5d7a7bc6c5ba3b1f2742521ca463e892cced1b77752ec0c11638b5adee9b926d4edf1364f8bef
-
Filesize
114KB
MD5862c704f7545af22ae04c0afbd1fa405
SHA110bee393ebb3713401fb4f1fcd467ce286597ec8
SHA256e7091a194cdab5a20aa456a39eaa161f1f87953295d55abe93cac8f5a214cc0a
SHA51218c6a0ef7f746a7e2ab4de69b7996d6379f057cf6a63f2efe69e166b4008f2d17adf9edb267b6861d62c3d18a7d0c4d50bc8d9349cb3816063abb48c7e1c805b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd