hxxps://gofile[.]io/d/q53ONj

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2024, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/q53ONj

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133532310251012017"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5024	chrome.exe
5024	chrome.exe
1488	chrome.exe
1488	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3580	5024	chrome.exe	29
PID 5024 wrote to memory of 3580	5024	chrome.exe	29
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 4516	5024	chrome.exe	82
PID 5024 wrote to memory of 3616	5024	chrome.exe	83
PID 5024 wrote to memory of 3616	5024	chrome.exe	83
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84
PID 5024 wrote to memory of 2688	5024	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/q53ONj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb563f9758,0x7ffb563f9768,0x7ffb563f9778
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:2
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4656 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1824,i,6082407279940291414,8655474798660160649,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3ae58eef-88ac-4422-bca1-7dd9e57e961a.tmp

Filesize
130KB

MD5
820260522a4b2eba33a69795d754650a

SHA1
8263971ad716805642f5285b5a1e4eb839a364de

SHA256
9ebd90264bcfb0a65fdfb37775b91d9cf8d433fcbcd128e9b7aed27d8d4ef03b

SHA512
32166ae049761c19f23365be3f43f58d097e8917c89cc9b0f214abad9dfccd8687337b811cee978731bfaa44235dd998b5ae0b732c6a4edcb85b05bf5c381583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
9012818c00060f003ba71e12eea2203e

SHA1
c382bb8918dbf00f69dd9f526979b32028a1bb23

SHA256
6b176654fefa3604700242bda82dab41baeef74bd18d093e214fbeaeb499a6b2

SHA512
e083b3bcd7f2833bbb4dbeeeaf59fb8dfa9ea37739a94257c682b64c57deee3154567b79e3ec4156a2d588b5bdb596eabf817786e7b1ac9eca4a3bd2e9c320e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b58eb6907849a81eaa0af658caf0cde9

SHA1
053ab1bbaf6f3c42d1591c8cc274896709336c3e

SHA256
613e7fb9c20009c475bcf45d6882907337c0a5ca7e41285ef53fbeb78f1f6fa6

SHA512
6f59646889f5a2c6c9688ccc0843913db7ade758616cbf901df897014ef86165e02240d32e661604ecaaf0cf1b11a36d429355da78257cb1fd9876041487af82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
fd623a29321b4bb4fc18b06732b7288d

SHA1
47f5fbb9b75b5e26d79cb8f3cc18bf7871bf08aa

SHA256
288b30695a9ba777e121075b49b5104846dbc4eb8be9c3fb6a8f5ecda2470a87

SHA512
7591d92b74c83a7dd33af7c7ff0dbdfc6e8967747675ed491c07232a577abd2c0b260f071b292e0cbcdab77be2772c7c398a30be2801bb88e06451645de256b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d7713e06ba75f0fc3bf60ba58839b9af

SHA1
98eacd4761731fe11d0c90c301975be3c3d0b284

SHA256
06fc845029f98d1ba2d1e2445cc0da61ed47669a800894240601d95054cb149a

SHA512
8962c8256285b9020f3ed39cf128e4b6f81fd516a6be5745312eeed1f719acf5edbd818be4f2cf49f98c90189a79bb853a01a4ea288862067ae5202735dda9aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit