hxxps://1DRV[.]MS/V/S!AODWD7PVFTX-FFEPLJODECWIQMW?E=XFLFFV

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://1DRV.MS/V/S!AODWD7PVFTX-FFEPLJODECWIQMW?E=XFLFFV

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133526594063507464"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
4984	chrome.exe
4984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe
Token: SeShutdownPrivilege	1844	chrome.exe
Token: SeCreatePagefilePrivilege	1844	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe
1844	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1556	1844	chrome.exe	83
PID 1844 wrote to memory of 1556	1844	chrome.exe	83
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 4348	1844	chrome.exe	85
PID 1844 wrote to memory of 2980	1844	chrome.exe	86
PID 1844 wrote to memory of 2980	1844	chrome.exe	86
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87
PID 1844 wrote to memory of 2748	1844	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://1DRV.MS/V/S!AODWD7PVFTX-FFEPLJODECWIQMW?E=XFLFFV
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0e699758,0x7ffb0e699768,0x7ffb0e699778
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:2
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4608 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2464 --field-trial-handle=1904,i,8147651660515242694,6246771623248159688,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
694B

MD5
51f80f0f41d3d4e5e8204c8032ca7ebe

SHA1
6af6bfea5a01acc504576df40f027a78519e79ef

SHA256
a6fef1b96eadc69e06f52f4eb48694e41b8ac571a3d9e2b360118ca85f04d4fa

SHA512
233a58ecbcf67244a84879086ae34cbff8d83566db2b7b4a5345aef2d017f0f349a4c1ad12fd9edcc56cb21179ecac831e257c52f89309619dba1ffe1835b6e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
440a1a7403a2f53b170a7620677741a0

SHA1
dc447e734321b02483776e147e6712153bf6b32c

SHA256
54ea21a2c737a77f1572ba70f6a2d9cc0492626796239510d3b95c00cdd4c359

SHA512
da5246aa0f149dc5f75205c64bfed31bd7a172be9ef1b496fe866b086c3c8e52bfcbf4bb4c1fa2afd4fa684f1faf8b87746e8551fdabd8a02dbe7c82089ba893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3ff6aaed8b175a100d7fff2518a79be7

SHA1
6b6ba459c896550367047432945ac47755fc984a

SHA256
e59d9ec64dd02680189b8d68b7828f61ede68514e01e8f888c5c90abc6ca3d2f

SHA512
2837d0daecf30794fc6f55b1229451e6a0b9a2dd6fedbc1dbe446f1686b7fa2d61898ec3abaf0e2cd46d6774717fad2e5a61d3c50b6dd2ae29c293eb01cb486e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3ea32785e477e8fcdca646b508809856

SHA1
bc4fca1d566c080864718fdef43b5a0f21068828

SHA256
83c5bea9afc715d75ffc00a5a06cc721519f60a8083458320fd62443e3780a96

SHA512
947a078e911eecb8e72c8bbe041e13db3dc24cdd082b6d1b5c7486c28af4c4286ee846e7dacecbf8258e98982462124df62df5792c8ad97661c529d6ba657e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
676bbd423dadc9c587ae0f8b655a8302

SHA1
1003d79ae7424dd81688088c8edc41bdcbc68dca

SHA256
ecb62f7dee0fbedda0d374b95d3b25331aca93bf2d2a4ede99a2239dfdd7cd9e

SHA512
646549fb5ead9fd9a21e3d8d9e4307e072c862056a4342cc29f18d0306d138fac4ad9ec8287f4bc6c50d819be02a20209823d710b14896e761ed4765f4b49e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
6c864c64a1301d706b66528e7f07679b

SHA1
f0d77d6cd1da2113a279b41668d5763bc1bd54a4

SHA256
63ddc08fac65f9e2b122f6c54e1ca26b3689a31e0685334791e68a981e2f71e8

SHA512
69b7bfd737b0298a7a0266e30b34abeea900146d75d2f3cafa5422ece3c679d5aac59981e6119ac80b6f2f80269727e1fdb3d569db2a1565fc1791782f0ff706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit