hxxps://cdn[.]discordapp[.]com/attachments/1202543546121588759/1202545096453521418/file_ver3[.]rar?uel=alphabet_icons_free_ico[.]zip

Analysis

max time kernel
1800s
max time network
1691s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1202543546121588759/1202545096453521418/file_ver3.rar?uel=alphabet_icons_free_ico.zip

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133514502062496082"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
4956	chrome.exe
4956	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1936	2232	chrome.exe	36
PID 2232 wrote to memory of 1936	2232	chrome.exe	36
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 3296	2232	chrome.exe	85
PID 2232 wrote to memory of 904	2232	chrome.exe	87
PID 2232 wrote to memory of 904	2232	chrome.exe	87
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86
PID 2232 wrote to memory of 472	2232	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1202543546121588759/1202545096453521418/file_ver3.rar?uel=alphabet_icons_free_ico.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd18739758,0x7ffd18739768,0x7ffd18739778
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:8
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:8
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 --field-trial-handle=1904,i,2375773893303117352,8585173142974256035,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
055f5139226cb0b08568a9a918cdafee

SHA1
2d232c2e8feb41f6ea4f4ed60d277e193cec7175

SHA256
60a986dcac501bbe2ceabdf7e6724982c877836061ad169245cdc6650de0238f

SHA512
26af6589f8ad04a55c6a7a0a83253ea81ae52dea6c07177c085216325b3a42b6bfce21791c4bd2f37b47ffad2e27ed04e48e323a233630a545a3c22d69eaf833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
5642878a8cf9b280be48c8f39c9a1778

SHA1
3514176678e3e7f0ddc9811fbb3dd7cf51eadd6f

SHA256
cd6a347ae882e5e2a23d945f0adcfb67d6313142ab0ed77385be3339cb349be3

SHA512
70e80a82fb8d244cd7bde66ee0a34fdd8549f8561c5f48f525b29c387ac678416626cde2532deb2cbc343560512326ab362a380f0964dc2cb2e195b6fe3ebe86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e3ac7a0bd2124ddb58031880cd49d41c

SHA1
33c6b0d2aec62fd6f7d47ce206058b3015d0a7fe

SHA256
05aaf3a3bd36647ddd94f682490e176d74114f0d5169f6320cf4416f585d8e81

SHA512
0e4e2fcd38100dc4c333a2c001adeba56b7e3dce699cac1c6553d2659f11c1aac6fa85584a9e98a01a11ac9025d6ac6e9efd31ba8494c25daadc051560ff5595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
35c1f33b6c960b9ed81b79e7656f8571

SHA1
ed3b776eb58157d85f0d2718eea58c0e4f122231

SHA256
e6f9e98a6a70cf87fad0a69d94af6b6e8110de0e86829ffd0628fbae4c3ed0c0

SHA512
b226d4eb7ce94f77af04b0a953eef371f41cb8d2b9657fc88eeb2efc6ad1ac6cd4e2fe713e928d0c72d7fb52d7741a1b274d93e6d88507e1d391ec36b8ce1ac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\file_ver3.rar.crdownload

Filesize
11.5MB

MD5
5193b39cdbb5ec353958140bff64791c

SHA1
969aac9e91dce41e3f69e5164462f036d7cf9551

SHA256
58a892e5a9f889ad959f8e627e2b6ca116d879dfced4288a051cce1d0f2c2543

SHA512
c37e8ac15702ee6c373e507ec21a519009cba2e8aaf5fc7da41a30c9533fb7ba9604b56f61141f1ca8a550eb0c03f5406691fc588fe90053b005c05705e42e18

Download Submit