7b67f750bf035c8d23e8b547a5091bf8da9aa43b5b57e6c751161804377ca57e

Analysis

max time kernel
209s
max time network
215s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
19/02/2024, 20:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

writing_class_work.txt
Size

5KB
MD5

ad6b013103266a236ec67a458c5dedff
SHA1

d52381d44d6937b01b2aac16efc6d2f78e2a65ae
SHA256

7b67f750bf035c8d23e8b547a5091bf8da9aa43b5b57e6c751161804377ca57e
SHA512

cc99608b1b44e81fa115a1fd6c14b9b009eb562359a7282ce31ef619135494385ce47174502c3b11fef7846fe91b4eec37f964057b4f7b70d7bed78891858e20
SSDEEP

96:BBMxN0YYiqSe0MSgWkIkllMzvwyHw8oLM980/DPGHUaEUoP:BdigKAkvi0wUajY

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528476676756881"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1454216376-3069400526-304058712-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1832	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1832	1876	cmd.exe	78
PID 1876 wrote to memory of 1832	1876	cmd.exe	78
PID 4196 wrote to memory of 5040	4196	chrome.exe	82
PID 4196 wrote to memory of 5040	4196	chrome.exe	82
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 3252	4196	chrome.exe	84
PID 4196 wrote to memory of 328	4196	chrome.exe	85
PID 4196 wrote to memory of 328	4196	chrome.exe	85
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88
PID 4196 wrote to memory of 4528	4196	chrome.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\writing_class_work.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\writing_class_work.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe587d9758,0x7ffe587d9768,0x7ffe587d9778
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:2
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:8
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4092 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1816,i,6427852269793438587,12156113776071337079,131072 /prefetch:8
  2⤵
  PID:3936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:112

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
4c000da34910b435b57bc14a94203626

SHA1
c3b15cb2e02a908aabb6fca159954e64c9afe09d

SHA256
38849929b637cd67caf2b6275829ef0d3212226a37de10b1e177369313cf35c0

SHA512
088dad5a250de46abae5af41ba194f25078249402efef3abd5fdde88b0d4c838a279afb77242cd0961367d4963b39a32b0e542053c232ff9b0289100b36cdf7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0356b5a0952c16a645c9bbd6e4c4f0ff

SHA1
cb0f994aca4a4e9d009aa85e1945cd06aa99cae7

SHA256
881398e4451a8a6b81f382d40c6252178b04227c176281eb8e53d20fa0466fd8

SHA512
0176d0599802faeab0b84997d52cb6823b062ad97b25b1ca124c19f7178b605f0998871a4e586cb3880ca26fa6ca61a44aa57971854a5509a0887f8bda6685b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
75972fb607aaa5c5806b3657a1fed598

SHA1
0328eb8b345ab795546ab2f49ec10cfe2072bb00

SHA256
3259e091d4c4cc5845fb0246afee81ba70effea3645b91011e99036e1ff365f9

SHA512
18102367ac33cb771cb0f667e08d7c0298c9f79179ab401861af97dfe72b2363274a331f16c0441c1780e6024b05bea6f6d3729b10519ba549689f30d8ff004b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
694d29ef74064017c0e73a25469d3949

SHA1
5d1520a504404ba6839e473eccb3281135b21603

SHA256
e3683d8a49ea0e938f31a32b43f4eebc5814a6871ec183ab5feabbb9421c05cb

SHA512
f2a837d582dcdf714c8a8f6b543db3d10f5d8a2f7b2be03a2b1183e276d71060f47d83b080e285b8263f315a32de05d889d3d878c55bfd11b66fe5e664bc12d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit