Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-es -
resource tags
arch:x64arch:x86image:win10v2004-20240221-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
22/02/2024, 20:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://tmpfiles.org/dl/4282465/payload.zip
Resource
win10v2004-20240221-es
General
-
Target
https://tmpfiles.org/dl/4282465/payload.zip
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 42 7.tcp.eu.ngrok.io 66 7.tcp.eu.ngrok.io -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133531068135205159" chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings calc.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2232 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4948 chrome.exe 4948 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4948 chrome.exe 4948 chrome.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeShutdownPrivilege 4948 chrome.exe Token: SeCreatePagefilePrivilege 4948 chrome.exe Token: SeShutdownPrivilege 4948 chrome.exe Token: SeCreatePagefilePrivilege 4948 chrome.exe Token: SeShutdownPrivilege 4948 chrome.exe Token: SeCreatePagefilePrivilege 4948 chrome.exe Token: SeShutdownPrivilege 4948 chrome.exe Token: SeCreatePagefilePrivilege 4948 chrome.exe Token: SeShutdownPrivilege 4948 chrome.exe Token: SeCreatePagefilePrivilege 4948 chrome.exe Token: SeShutdownPrivilege 4948 chrome.exe Token: SeCreatePagefilePrivilege 4948 chrome.exe Token: SeDebugPrivilege 4480 whoami.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe 4948 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4888 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2908 4948 chrome.exe 54 PID 4948 wrote to memory of 2908 4948 chrome.exe 54 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 3084 4948 chrome.exe 88 PID 4948 wrote to memory of 1228 4948 chrome.exe 90 PID 4948 wrote to memory of 1228 4948 chrome.exe 90 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89 PID 4948 wrote to memory of 3628 4948 chrome.exe 89
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tmpfiles.org/dl/4282465/payload.zip1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb6239758,0x7fffb6239768,0x7fffb62397782⤵PID:2908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:22⤵PID:3084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:82⤵PID:3628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:82⤵PID:1228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:12⤵PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:12⤵PID:244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:82⤵PID:3896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:82⤵PID:3280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1872,i,18235710236842130195,12170747366255379736,131072 /prefetch:82⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3624
-
C:\Users\Admin\Desktop\rce-exploit\nimshell.exe"C:\Users\Admin\Desktop\rce-exploit\nimshell.exe"1⤵PID:1076
-
C:\Windows\SYSTEM32\cmd.execmd /c ls2⤵PID:3404
-
-
C:\Windows\SYSTEM32\cmd.execmd /c dir2⤵PID:1968
-
-
C:\Windows\SYSTEM32\cmd.execmd /c whoami2⤵PID:4808
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c dir2⤵PID:3940
-
-
C:\Windows\SYSTEM32\cmd.execmd /c calc2⤵PID:4744
-
C:\Windows\system32\calc.execalc3⤵
- Modifies registry class
PID:2700
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c echo "You got pwned, bom dia!" >> mypasswords.txt2⤵PID:3976
-
-
C:\Windows\SYSTEM32\cmd.execmd /c del *2⤵PID:4008
-
-
C:\Windows\SYSTEM32\cmd.execmd /c2⤵PID:4168
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4888
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\mypasswords.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2232
-
C:\Users\Admin\Desktop\rce-exploit\nimshell.exe"C:\Users\Admin\Desktop\rce-exploit\nimshell.exe"1⤵PID:4268
-
C:\Windows\SYSTEM32\cmd.execmd /c dir2⤵PID:2212
-
-
C:\Windows\SYSTEM32\cmd.execmd /c del *.*2⤵PID:1968
-
-
C:\Windows\SYSTEM32\cmd.execmd /c2⤵PID:3360
-
-
C:\Windows\SYSTEM32\cmd.execmd /c y2⤵PID:920
-
-
C:\Windows\SYSTEM32\cmd.execmd /c y2⤵PID:2948
-
-
C:\Windows\SYSTEM32\cmd.execmd /c dir2⤵PID:4504
-
-
C:\Windows\SYSTEM32\cmd.execmd /c dir2⤵PID:1084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e26b5c3cf64529cd5fc5ce41ea2a9ada
SHA1019ecb856409c7e7f1e19e489b47ce499d245894
SHA2568a282a383d3909b64b5706ba81dce41a4d15be2a8b8edac72253cf8628eb671d
SHA5124c3b17366e85a7d371dbf2dd180d886ce917a8dc701ca0873b9a4fc0c49c26d9980079fd533eff6800804d72d89b6ff0b733bd103f10ca9a125ac43ceb194693
-
Filesize
6KB
MD53e606d30efb71e80f9e9d018c8f68b50
SHA13e132e30f8c5f5d5fca58d8348789063f9b8555f
SHA2562da4880bf1358d46ac0fce0f1d4d8072e07b523dd61d2bbe7b242f2635b2a2e9
SHA512593278a9072ead4e5bc4c913366b7babb7f8271527b50ac1a3edeb50b3de6cc5c41a70f43e68a09d013a155d2d758d779d7f7d8a4e6a2a07161fb1873cd993cc
-
Filesize
130KB
MD5100d266fd8ea918467e88b9573c35f45
SHA19aad616e59e8fe7deab075677722fd0e82026b6f
SHA256aa3f038e3165f5d3e871e7cb31b8d2025205b36a111618c8258a2b86d3e0b163
SHA512a463cd2c93f05ae83c981c37f0943ee3dd3bd26621356db822467fa1af2567a7591216adf15665468ec732456b59eac0cf389749444963e51c4f486d46b90fe2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
28B
MD5036ace330d16eda016b74b3a2ae5a680
SHA1873d1f9b1c4e2abe3ced0bcd09db6d1d6e69239e
SHA25617ee3c5189c2b88d1c62d7300edc0f987006a777d091bfa564008bcc0a0fa357
SHA512472bae2b30cd74b8cd6a724999ae23f3a6683d01ff6efd937b33aed379268eaec3e026a47a1aa6b09e9294ff9254ff2974f27a645c7753d4546a844d670de048
-
Filesize
4.0MB
MD50b6417144d1a57d90a2ebdfb5022c76a
SHA184b6beed381a698ddca89167fc8e61ad7f00858f
SHA256eb0f256088c6111c350bffda595ba84c7cacb38c1cc732be88128c17652cc724
SHA5128e66e6e9028e8cd659cbacd29abb99ce862c0b950fd177cef9c221c9baab97fdc3b7453ada746567d6a8d94eefe92d69608a2ac155c1e534dde4d21653525e43