hxxps://gofile[.]io/d/LOwIP7

Analysis

max time kernel
149s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/LOwIP7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529088683809828"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1404	1392	chrome.exe	32
PID 1392 wrote to memory of 1404	1392	chrome.exe	32
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 3020	1392	chrome.exe	82
PID 1392 wrote to memory of 612	1392	chrome.exe	83
PID 1392 wrote to memory of 612	1392	chrome.exe	83
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84
PID 1392 wrote to memory of 2256	1392	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/LOwIP7
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd66ed9758,0x7ffd66ed9768,0x7ffd66ed9778
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:8
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2832 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4684 --field-trial-handle=1856,i,10921106370304116117,8267628646992575744,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
05bd5c8fef6440baf7e324eb8055202b

SHA1
6d1aeed2b263e0bb473f6ab5a2cbf41b501e6e06

SHA256
392a7af5b1e18375a357a91457de213b6d3c62a62d3107ce57b222af996f4cb9

SHA512
3832ced84e5f2a59daa3f6fe9548ac4cf09e3f14f445faa4f46da77fb811c12b931192222a4447f86483873398c74e41b3415471bf4028eb4b930139e32a4c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f79b83758b9b2fbc8dfac472a1819187

SHA1
63557093871c4ed32c84ace75b092128f49c45d4

SHA256
6633867d65b876c6e61695e573a3307180e8efc768b51bf8768e8ac0f9c1e721

SHA512
918de85b9838daafe6a37b0c5425f9f233e15535e1413ce5d3641083b4f6d537cf3ecb77874f249a902ac041b7491e41a08743728ae251c4abfa33659515172e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
6194df644860942aa0e9578b60d2a9e7

SHA1
ad298ec6a4bb53a28a3cdfaf2d18d600e99f86e6

SHA256
ce16e987709417eb36d726b6fba307774f2cf4ed3165eabf8d591e2c8a16443f

SHA512
a761dc07771f206c92f27a83f90acf0949ba9a465c61f7d9d46b427aed65682648bda5cf4996becbc8560d6a45332b7a24343b59c27bf4c6e02c3bffe19ad646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c226e1e933d54b0f1c6c855484374d99

SHA1
05e5f047cc03008ac3a45e9767e41ac45cc7fc37

SHA256
931b2144ccd255a92b9d0b4852936ef4ac2f384e21ecd90a39bdc819a1258ac3

SHA512
c4f8f41204852f99dcf16f58f2b18fa0207aa92ee8f14ae1ff06bbd37b2d9e7c9a567fea8fb3189dad3970696ad8a63675d00c1b58482d3ba63967a61407cefe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
f0daaf86100823b12c02cce7d2502a2f

SHA1
bb1677431237a6b5f63b624edad6a82e2e70d669

SHA256
28a96231a2a5f82be08d885e77ddcd3c3e1d74aff32722d172b7db3acbe86609

SHA512
5bbd6999d79f140825fc44c22dc6de9060902d8521e51c49dbb3f02bacc4e079e3b6e8f23a6a90e793a299685724661c4bca9d1e8ad0ecd5058b5727c86e2dde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit