34ac6ccee60080c4a8d0e239eb9591fdea853499cadff8967dd150be49295194

Analysis

max time kernel
1200s
max time network
1164s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
23/01/2024, 16:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tt.gif
Size

92KB
MD5

011c847390b80fd04a4c475e4b07f0ea
SHA1

9420317cfef62ef2c1206cd8221373c66443251d
SHA256

34ac6ccee60080c4a8d0e239eb9591fdea853499cadff8967dd150be49295194
SHA512

2ba0d9dc55990bf7138bbdb1494bd21ff598e82b5b67f4bd6abf490ee1ba8bfe825a25d71722175f01b575c2ea7419f84973d51f5a1abeb37309172ab91989dd
SSDEEP

1536:Qv8bjlPMn+p8LPPMriPAp4giClohwttT0LfBCJQwlDyPkHRgyWtv5g:68flPMn2I8mP/XCTkLf4WVcxgyWVy

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133505024831383125"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5264	chrome.exe
5264	chrome.exe
3648	chrome.exe
3648	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5264	chrome.exe
5264	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe
Token: SeShutdownPrivilege	5264	chrome.exe
Token: SeCreatePagefilePrivilege	5264	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe
5264	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5264 wrote to memory of 5568	5264	chrome.exe	17
PID 5264 wrote to memory of 5568	5264	chrome.exe	17
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 228	5264	chrome.exe	83
PID 5264 wrote to memory of 4648	5264	chrome.exe	82
PID 5264 wrote to memory of 4648	5264	chrome.exe	82
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81
PID 5264 wrote to memory of 3052	5264	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\tt.gif
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd23c49758,0x7ffd23c49768,0x7ffd23c49778
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:2
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2560 --field-trial-handle=1868,i,14474086796034081904,3540643297732182911,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
823B

MD5
12d2b21dc7f2cbc8c94a4848107d9ce8

SHA1
044d3e45a6fd4796c86ab09099a9365f8678becc

SHA256
e0c2962d83bdd4787f40e8ee7871b406fadf37b1dd4c566b6011ff7a0fd33f42

SHA512
62976a5320c03a080147a9149b16bd5d2b15157911b555be5d35b25985b0ace9f952d1678630691d2b3d5388dad3842a43334e4f8c8a0a93bee57acae311cdf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fa5c70ece72d5ef020d34a027eb88f53

SHA1
5ddd0bc1a10f335a19ecf4a8edabd76fe5451640

SHA256
e47f8880e0a7359d37f6b33b5e7562179d91beebd0ff40206189e4696ca7eb5f

SHA512
41b323ac1d525d55bac1686d3d5e8c223581d47892ad8ba6cb03149c6fb286de7926cf1b7ad68139abfcc706eedc9650767279068d8007df6a9fd34ca5337bb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c64c558705fca393518c5b79695bf142

SHA1
1a1ef3f00690f6a449858795675931fd0cc16557

SHA256
e1612dea928e3f64158abe11e55fc863ab401fb365f5d24c9653720bbcc4f943

SHA512
e873bef26cd8d5e85ca1d8e86b1eb5e8b458142a406b2a4cf67f338ce4ddd7e2a0ead99b28ef7782723b437aa338a384fae08b54d62505a5993c66a4a25a06a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
7f7fce25383fc79cc15b9b7a2b2bb424

SHA1
d9fdfbbea72ab3fa59c9ec87decd8ab48b4e7a01

SHA256
5d75fe850d44e5ad12219b270f30505a411a51fe19fa9af6ebc1a531ce79db53

SHA512
adc84cbe3dbdc81795572ba3ad2b590298a243adb963fe03041228b0ba26005b20cb6391a5ff5cad4c552bb352006cb7e3bd12df5fa83122d204a61c73858dd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit