hxxps://gofile[.]io/d/bLjssM

Analysis

max time kernel
1200s
max time network
1137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 16:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/bLjssM

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528355995920911"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
4596	chrome.exe
4596	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1844	3448	chrome.exe	83
PID 3448 wrote to memory of 1844	3448	chrome.exe	83
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 4944	3448	chrome.exe	85
PID 3448 wrote to memory of 2184	3448	chrome.exe	86
PID 3448 wrote to memory of 2184	3448	chrome.exe	86
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87
PID 3448 wrote to memory of 2980	3448	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/bLjssM
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0e699758,0x7ffb0e699768,0x7ffb0e699778
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:2
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4792 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3252 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3764 --field-trial-handle=1852,i,16876492885180272200,16995784484912404336,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
84cc0ddd3e10bf4d31f2df2317882186

SHA1
831f6484068af32be9189f3eaa6c3e5b1580f88e

SHA256
9c1c2270e0d49fb16bd43a428adedecece7d91215384e30f8f279b9e8a732a8b

SHA512
3bd256d9eaf63d91217417726b216320b66b16ff02e315cd37bfc33ac382ca48b6852f45e653a0a9dd942e55723acb9a04f1c5b66f2ff3c63aea6e3aeb77a4c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4dcfee343735ac04f4f8d91d0b200b21

SHA1
0dc9f14f09a3dc664e2ac611468ff106ce217656

SHA256
90f508e3eb750d4d3b1f073c428cdea6ce9e617c93cb8b636d4946a44c4d76fc

SHA512
8d6d0fc870b440f632c1da786e4e4ce10b4774e5fd9cbf88be1b828ceabdad27d7742486b02e542ea9b56e3424cea03a0bf4e030bbfe20fd0643be9b27d1c8d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
7f6b9186ded3dfd420519f2784c97b93

SHA1
58884f19f084119b62f5ea57486331da90a89225

SHA256
81f219fd196e0b67d673aca7ba1f81ee1214ef8cbefbd4c64990aa11359d6ed7

SHA512
45e37563b35008ad48109e086246c4bdaa28c1300b449382c95406330bf68aff31f3c1aeb2ad8d4a80c65c04be00061d8115c4630848d310953efaaf716184bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ba042fc02536e908435c2ad983910a45

SHA1
ba3d06aad61229d9fcb80d6b4f8fbed4cd9a74a8

SHA256
79b5017526dd0e76f80fe583ab959f106d656a708afa3a0978c50b2b9ac696ca

SHA512
9f6a4e2ffe034802db1810f6956b941fd300c8532f8b83e9304ed1da6097c9c4874d7fed6866565da78ca26204cd23f38e502f98c6e8c70b24ae8b85b0ffa191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ea1cdcd6c7ba7442b8fad850844fa030

SHA1
7b727f72f72d221124acdf857281b4063cb918f5

SHA256
d4cf75f8dfa45383ea79c9e4f4d962d5d10d5d4f01786031f0a0c2ee5eae83ce

SHA512
bf9460a7bcd3fbe116f7b88273e6b6fa93f89e3d4caa954992d7ab435d8edd97e3f68b01f520bfecc083f3d0312ef51686965ed0c9c5d1f1ae9db45715cb5513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c7bedd5d3c7c94d9d83ab652f74f3f55

SHA1
3f0a86082cf7416869d2d19e419681fb0814af55

SHA256
66857140165e78d1d5e474e533475a944eb854ef395e9befcda23e9e54bd6ae1

SHA512
43b42075274a7c0c87147af62b2c8fd531fa86c4fba513e68d1bf913f06447ff4a4aca373313679c15360444f162d8eb1b4e4c5bbdd1c95a11ca81d6f82376dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
bb5919b01065391595309b65455b8935

SHA1
95ac1e7107f6455d181c56f9b99542dbff6f4342

SHA256
3dcfbc828f46d1b81a12a5005a0db6d49c47d7002a4023c7fe43480040937af0

SHA512
94d47de860ddd6b1ce59ebca749965fa38496ba8aba06117580d55b275c8d0beec9f932821fbdc55eed9e454ecd107d0d08d2278e36dd3e57369b1673ca59ff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit