e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397

Analysis

max time kernel
55s
max time network
43s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24-02-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eicarcom2.zip
Size

308B
MD5

e4968ef99266df7c9a1f0637d2389dab
SHA1

bec1b52d350d721c7e22a6d4bb0a92909893a3ae
SHA256

e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397
SHA512

73d6b0ca9c5554fd2b37ff8af6b51812f3af49962cebd6e042d0883a45794ddb8a53724275d26f3e18cebf1cd1d67740acc920aba16965038c0cc75b87030fbe

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133532106115801504"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeCreatePagefilePrivilege	2328	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe
2328	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2208	2328	chrome.exe	80
PID 2328 wrote to memory of 2208	2328	chrome.exe	80
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 4488	2328	chrome.exe	82
PID 2328 wrote to memory of 668	2328	chrome.exe	83
PID 2328 wrote to memory of 668	2328	chrome.exe	83
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84
PID 2328 wrote to memory of 124	2328	chrome.exe	84

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\eicarcom2.zip
1⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffc729758,0x7ffffc729768,0x7ffffc729778
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:2
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:8
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:8
  2⤵
  PID:124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5052 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5060 --field-trial-handle=1824,i,5013286352552650199,2645252344238176667,131072 /prefetch:1
  2⤵
  PID:1944

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
7951c3acd721863ad5b67a63c3ee14ea

SHA1
4a0ba2095af4a06cbcb963544276975a4cba79f8

SHA256
3a1249dee082af3fd64883bda55841cb0585fb2d69c72e0b76d6c1ee108ecbf8

SHA512
09871bfec965f5e3753fe72a2ea51580e2789278394182e82ce778956dec8c66923c6e42b026b4c558dbc59a12c642f2dcd79f7aa82c4ace0425f59dad0538b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
3b92afb7e656fe8aefe35fbb0bd0dd82

SHA1
812f2ba2571a3fd3756a56f87884d019d5574926

SHA256
1771f70c88931fc1252b1f3d7da2b8f52a267e2d46493b458e06094a2ef2d4ce

SHA512
48c77212b630346ab832642ff1b1a04f14dcca120fc62a9ca6baec7d6039d91d67e82c440aea8e0d2e9eecfb6415f25459a5f87b6ba5fc6a867ee0fab4723a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ac4cf032d853695ca12791b98739f819

SHA1
42e724dc53a89f9da4805933c534ca312e508f13

SHA256
c205610ae07884e59f4983315821f2df4b4cbe545205dfed225856151f452606

SHA512
6705b15898c6eaa04d294db1e3076de85fd624fb77608c867631f3a6d1fd8cf31c73e6900b2f7d079762cb2fafbe884334e09b89d3be09de4325c3ce098f7a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e6b02a28ba18dbb9aa7d2541cffb5273

SHA1
5b0ad2cf9312b19f0c12e582c32acc1b87c4ed23

SHA256
62175c1f268e346cb497821f5dca94eabb9b835ce7533bd4998423c1b05ae454

SHA512
7f1b2add2b9f2ca8ea66a61532cc48bca9359074e7df0768be9f25b4b8609e909a885b23187cff26ae50b2602b001636bb87ef5415fa4cb340d39f2d8b7bf846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
dfc9b8a80b08c533bc4ecaa39f02002d

SHA1
22f12ec67e6977a4d5ee169ed5a035e997d49130

SHA256
19614f790b4d28ec1e2a42358b1cc87320385916064b56631944041edf5c53df

SHA512
631051c2a3d7a830d4133b1c14484217e758bd23b375fa8c4fe240dce3473f0b1fc5195e3ec61e21d2d1eff5d186e2dbe6f21d2982fddbbf348d70148cf0ea88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
af89662179a900db07d214ce3d85138c

SHA1
7aa1893af8edf15b3439f8e45931d65763829af0

SHA256
0931676a74003bb936a2b41c6a7085951fb6c4c7dd51dcf4e50e25920b08a76e

SHA512
d7135ed7f69dd392155d43925de03b8dc7e015f651795d57f2e825565327933f11ffc310c67d091b27ba41c8f6ce7d70bf0714c2d5aa6b749c09bd043f5030c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit