hxxps://wyatt-design[.]wetransfer[.]com/downloads/8631b83ee420b4666ff67071eb78a48b20240119121034/8ede8340684b12239811fc7c44ec8ac320240119121034/bdf624?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid

Resubmissions

19/01/2024, 13:04

240119-qa9cdaeecr 4

19/01/2024, 13:01

240119-p9bpqafaf8 1

19/01/2024, 12:42

240119-pxrv6secbr 1

19/01/2024, 12:40

240119-pv7hvaege6 1

Analysis

max time kernel
600s
max time network
591s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wyatt-design.wetransfer.com/downloads/8631b83ee420b4666ff67071eb78a48b20240119121034/8ede8340684b12239811fc7c44ec8ac320240119121034/bdf624?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133501420620277268"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4288	4888	chrome.exe	21
PID 4888 wrote to memory of 4288	4888	chrome.exe	21
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 1224	4888	chrome.exe	88
PID 4888 wrote to memory of 2140	4888	chrome.exe	89
PID 4888 wrote to memory of 2140	4888	chrome.exe	89
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90
PID 4888 wrote to memory of 2344	4888	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://wyatt-design.wetransfer.com/downloads/8631b83ee420b4666ff67071eb78a48b20240119121034/8ede8340684b12239811fc7c44ec8ac320240119121034/bdf624?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf24d9758,0x7ffcf24d9768,0x7ffcf24d9778
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:2
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4748 --field-trial-handle=1872,i,8990222947796217202,2661954552014479566,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
6d9802854f393dcaa7a98ae4ed5b0723

SHA1
303515379b3b6d9e4de885595b2a8c19f153d1ff

SHA256
97ea5f68e2c66bb7dc9e4ebead6a6809c11d5f364fae80cadcdda7d239d9e9d6

SHA512
2155781e592817e14aa51fd4fb1055a8c582f64b070dc97e836df2159e36ccfe78c5bf5c090253f79fb8796671790b3599ee5a4aaef2f5875d9bb934d41c72d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8b6b5756e67bfa1be0269d2c8ef51ea0

SHA1
c01d9c5e0cace6814ae01b5d191dd9f4c2f2503c

SHA256
7bc93e113d9ffdc9cac58b63bbbd8dc45d907cfb73c015be9a13e7aba80bcf1e

SHA512
df23843aef2a8948bbedf86392ba385e5bb5697c53ed4c52f21429baaa6739932e709a065f366e8e176af2f3e351918a095c6556cce4c01012976e6a287f0568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8b06a487fe3c928ac7c9f7279f718c65

SHA1
f13b9f4a59f7d3761e7adb3a419c340afa5a78eb

SHA256
f62e9abf209543525847d40bc1d5ac2ad8f0b8e0e7c57cadf492f2566a7013f5

SHA512
3a3e1b2b2453c6a977801a152a946b7377eb20ca2444c541500ba4f16eced43e27cb165496ba31c5d97aca48a8a96292456e37a3885ad731079a183011bd3177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e2e0f564c5c2514a2cb674ca8017c4a7

SHA1
40499cd0bed4ddff575484b24b150cbc4abf72a6

SHA256
c87ba8751d71e9cb048fca1c78be51bfddb8c9040de28dff832309c34fdac28b

SHA512
febba0a7cb44840878474a6a15dd88d92e413e0712239d32e8531b8f208e25a6789d52779a1d93db5eadbc1118c12f4aaf444ade02e9b78f8c58e12b7b09db8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
b0e2b66c222748ec469fec08ea8012d7

SHA1
c65f66b9b9953f007688ac10543c8b0be38e5287

SHA256
0f44475a563aee4219fbc2f12330fa4a945e4ee653b82c976342f7b2f9649d6d

SHA512
1fa02ac9ac3cf6e51a8270ed33b6f1b08012a3ce8ebf53ce8bb28f44b7c948c916032d1d193e3f8dc4266891f5164b92e7c9acc3b69586c52fd4a510b903b9b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit