Analysis Overview
SHA256
456ebef3ea4fd5820ebf1f96be5057967a020d7d1808a598dcda016a4629a00c
Threat Level: Known bad
The file [GitHub]Project.rar was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-12 17:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 17:53
Reported
2024-02-12 17:56
Platform
win11-20231215-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2088 created 2628 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\driver1.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\tpm.msc | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4908 set thread context of 2088 | N/A | C:\Users\Admin\AppData\Roaming\driver1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522341246862399" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Project\GitMultiLoader.exe
"C:\Users\Admin\AppData\Local\Temp\Project\GitMultiLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2088 -ip 2088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2088 -ip 2088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 524
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\tpm.msc"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StopMeasure.wmv"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcdb129758,0x7ffcdb129768,0x7ffcdb129778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3212 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ac597688,0x7ff6ac597698,0x7ff6ac5976a8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ac597688,0x7ff6ac597698,0x7ff6ac5976a8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5116 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1804,i,1203490939586576729,10471875840675928224,131072 /prefetch:8
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | goldteamtrading.wpcomstaging.com | udp |
| US | 192.0.78.20:443 | goldteamtrading.wpcomstaging.com | tcp |
| US | 8.8.8.8:53 | 20.78.0.192.in-addr.arpa | udp |
| GB | 184.28.176.43:443 | tcp | |
| US | 104.208.16.90:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 150.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.214.133.66:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.150:443 | www.bing.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tewt54f.cps.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3220-8-0x00000188EBDB0000-0x00000188EBDD2000-memory.dmp
memory/3220-9-0x00007FFCDBAD0000-0x00007FFCDC592000-memory.dmp
memory/3220-10-0x00000188EBDA0000-0x00000188EBDB0000-memory.dmp
memory/3220-11-0x00000188EBDA0000-0x00000188EBDB0000-memory.dmp
memory/3220-12-0x00000188EBDA0000-0x00000188EBDB0000-memory.dmp
memory/3220-15-0x00007FFCDBAD0000-0x00007FFCDC592000-memory.dmp
C:\Users\Admin\AppData\Roaming\driver1.exe
| MD5 | 54579c50ad2796b9263f2506e32b8899 |
| SHA1 | 09006f17a2d00943f851ca13888f1ed5aa0421ae |
| SHA256 | f8014184354ad703efd84671a6591834da69134de97a2b8e8d4cfbfe77695bcc |
| SHA512 | d11687e72b91458154f32c5af3a56afcc7071da824fd00b9f0d5b6115f39073f7d6b8ecec9de75ead17e28ae0b80e49866c03c8e0ee95fdef4aeee25818385ee |
memory/4908-22-0x0000000002800000-0x000000000287E000-memory.dmp
memory/4908-23-0x00000000749E0000-0x0000000075191000-memory.dmp
memory/4908-24-0x0000000005020000-0x0000000005030000-memory.dmp
memory/4908-25-0x0000000005020000-0x0000000005030000-memory.dmp
memory/4908-26-0x0000000005020000-0x0000000005030000-memory.dmp
memory/4908-27-0x0000000005030000-0x00000000055D6000-memory.dmp
memory/4908-28-0x0000000004E80000-0x0000000004EFC000-memory.dmp
memory/4908-29-0x0000000005020000-0x0000000005030000-memory.dmp
memory/2088-32-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2088-35-0x0000000000400000-0x0000000000488000-memory.dmp
memory/4908-37-0x0000000002A40000-0x0000000004A40000-memory.dmp
memory/4908-38-0x00000000749E0000-0x0000000075191000-memory.dmp
memory/2088-39-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2088-40-0x0000000003830000-0x0000000003C30000-memory.dmp
memory/2088-41-0x0000000003830000-0x0000000003C30000-memory.dmp
memory/2088-42-0x0000000003830000-0x0000000003C30000-memory.dmp
memory/2088-44-0x0000000003830000-0x0000000003C30000-memory.dmp
memory/2088-43-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp
memory/1448-47-0x00000000006F0000-0x00000000006F9000-memory.dmp
memory/2088-46-0x00000000771D0000-0x0000000077422000-memory.dmp
memory/1448-49-0x0000000002330000-0x0000000002730000-memory.dmp
memory/1448-50-0x0000000002330000-0x0000000002730000-memory.dmp
memory/1448-51-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp
memory/1448-53-0x0000000002330000-0x0000000002730000-memory.dmp
memory/1448-55-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp
memory/1448-54-0x00000000771D0000-0x0000000077422000-memory.dmp
memory/2088-56-0x0000000003830000-0x0000000003C30000-memory.dmp
memory/1448-57-0x0000000002330000-0x0000000002730000-memory.dmp
memory/1448-58-0x00007FFCFC920000-0x00007FFCFCB29000-memory.dmp
memory/2356-59-0x00007FFCDA6A0000-0x00007FFCDB162000-memory.dmp
memory/2356-60-0x000000001D100000-0x000000001D110000-memory.dmp
memory/2356-61-0x000000001D1D0000-0x000000001D204000-memory.dmp
memory/2356-62-0x000000001D100000-0x000000001D110000-memory.dmp
memory/2356-63-0x000000001D100000-0x000000001D110000-memory.dmp
memory/2356-64-0x000000001D100000-0x000000001D110000-memory.dmp
memory/2356-65-0x00007FFCDA6A0000-0x00007FFCDB162000-memory.dmp
memory/2356-68-0x00007FFCDA6A0000-0x00007FFCDB162000-memory.dmp
memory/4172-69-0x00007FF682270000-0x00007FF682368000-memory.dmp
memory/4172-70-0x00007FFCECF60000-0x00007FFCECF94000-memory.dmp
memory/4172-71-0x00007FFCDAFC0000-0x00007FFCDB274000-memory.dmp
memory/4172-84-0x00007FFCD8FD0000-0x00007FFCDA07B000-memory.dmp
memory/4172-118-0x00007FFCD8A10000-0x00007FFCD8B22000-memory.dmp
\??\pipe\crashpad_3452_YIEKEMXIEARQEITT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5826866580fc24a9cb7b072971b2ac48 |
| SHA1 | 609d6b62dad442269837d522ad82f181bc3dd61d |
| SHA256 | 9762ab50df77c3d46a45b9e223f48040b34ad0134a19c8a374323293e59dcb61 |
| SHA512 | fc9626169a0b190e18de91cf6e34f933cfe6dfcc23dff6ee2e9bfab6eae3fea75f41954aeb130464b2f5a2a6ca2579dbcdd24d196f08f6e910edf8d1ba663b54 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7f9527d5-2ba2-40e8-b811-c5e29c9f8e03.tmp
| MD5 | 4d1bf1c9920c870da408bc3b2a34c94b |
| SHA1 | 77a9ae846996a39a0597f16fd9429839f8ef547b |
| SHA256 | b27403e498150355bc44d2dd16f3413a7b5e3f4cc303ff52ead635c496c48808 |
| SHA512 | db87b660ea15a0aa9818d898ad961c5cbc12179a254dce8227ea7914000e6be0c191e2524080bc476619539b41cd01ed98e8dc3920faac8da858a8bec09dff55 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 9d46a7315cda3131d804cfb64f933b1d |
| SHA1 | d9b0b0738e7c2bf26eddf6bced318bfb31776fe6 |
| SHA256 | 859e5def0a1f4c99060e3a504071edfac9ddf15230bfa1f0a39ed62cace8588c |
| SHA512 | 1e857e1cc393ab18e327fbfa18ae72b6bd89ed5c92b89d3efe0cc1b9b1eaa4159eb1de828b77a6b675eb733b927c0586f7dcd7ba30410f1a2e64b45b514f3dcc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 02ec21b1584984fa31b74513c2bf8fab |
| SHA1 | 19818b47527c25dca0252b44710c551b0cf98efa |
| SHA256 | 1061ead68c5cbb83a7215d643cd91a9bd283b9934aa8c428160c720afcb95c51 |
| SHA512 | ba876dd6e32fb5e3efa848defc58337184545fa08b725918e8b72e8fed6703c5fa3461411425788e00793c603f6b520d4e32cf6f6b5ed61ea6fa426f41ee1d53 |
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | 63f8443149e331271aea55d9053a573b |
| SHA1 | af49add37669d931e444efa9d4e9df56f0dde88a |
| SHA256 | c81d3499bc16c4e9d45aa56bdcb3d56cde7b07647d1586538f5a2c5f7d84c8a0 |
| SHA512 | f6da06a6863a41f498f1a7a80ad92b24dca92bf51af1c651f6ab1f260d39151fe3e14b8082ce864891d9fc4e1a1d586e4618de978d18e6c864a1ceaef90b9844 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 48afe6012d2a6254b937d8cf449ba2d8 |
| SHA1 | 0b32f448ab3d515aac4a7af5c3e77ba6a8ab6202 |
| SHA256 | 7bdf099eabdcca49e8eaf4983a17940b648fdeca8fdc0f9b95f87d6b2c50c683 |
| SHA512 | 5427e91b1de853c7e48af16b21a2c657cdf037810a91332aec1e9f4b8612b22182be1539aee62cde80f218b5470148881797f992cfce17e3d2cee2674fe6dc7b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe596306.TMP
| MD5 | 1bea01d2388777eed193e5ab78583d8b |
| SHA1 | 66a57d4e1b234f6cab1430d89b62a1eb815cf8c2 |
| SHA256 | d61d7ba99188c5ce29f62215fda965055968e2e541b065908b72c7766d651695 |
| SHA512 | b500950974b8db6d467825950a299319bb9e43ec9279aa11ec78f6b0e1b52e43c17fede198a7d5e6b5a76f1e72280efdb85c6ca9dfe776225e1003491e356f37 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5c049df23a8f338bb6046bee1df7e318 |
| SHA1 | b895d7a1be81b5107416e544070e2464c5a86128 |
| SHA256 | c8761d840862e0582c4f7f5427c1a865f4b450c64f7d2b6e34948765cc1f56b1 |
| SHA512 | 095bb2f06a19394cca734cad29c1852ea8ff84dfe1c6a212d817af4b3d1e914b9a077e15501c25c3d05380c6ea779dc82fc13e54268cf51b39134c5863c5e04d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 17:53
Reported
2024-02-12 17:56
Platform
win11-20231222-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "52" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Project\opengl32.dll,#1
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a10855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.26.193:443 | tcp | |
| US | 20.189.173.12:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| GB | 92.123.128.146:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |