Overview
overview
10Static
static
3TikToKBuilder.exe
windows11-21h2-x64
10$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LICENSES.c...m.html
windows11-21h2-x64
1TikToKBuilder.exe
windows11-21h2-x64
10d3dcompiler_47.dll
windows11-21h2-x64
1ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows11-21h2-x64
1locales/am.ps1
windows11-21h2-x64
1locales/et.ps1
windows11-21h2-x64
1locales/gu.ps1
windows11-21h2-x64
1locales/ml.ps1
windows11-21h2-x64
1locales/ms.ps1
windows11-21h2-x64
1locales/ru.ps1
windows11-21h2-x64
1resources/elevate.exe
windows11-21h2-x64
1vk_swiftshader.dll
windows11-21h2-x64
1vulkan-1.dll
windows11-21h2-x64
1$PLUGINSDI...7z.dll
windows11-21h2-x64
3Analysis
-
max time kernel
1868s -
max time network
1877s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-03-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
TikToKBuilder.exe
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
LICENSES.chromium.html
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
TikToKBuilder.exe
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
d3dcompiler_47.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
ffmpeg.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
libEGL.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
libGLESv2.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
locales/am.ps1
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
locales/et.ps1
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
locales/gu.ps1
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
locales/ml.ps1
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
locales/ms.ps1
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
locales/ru.ps1
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
resources/elevate.exe
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
vk_swiftshader.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
vulkan-1.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240221-en
windows11-21h2-x64
General
-
Target
LICENSES.chromium.html
-
Size
8.7MB
-
MD5
1ca87d8ee3ce9e9682547c4d9c9cb581
-
SHA1
d25b5b82c0b225719cc4ee318f776169b7f9af7a
-
SHA256
000ae5775ffa701d57afe7ac3831b76799e8250a2d0c328d1785cba935aab38d
-
SHA512
ec07b958b4122f0776a6bded741df43f87ba0503b6a3b9cc9cbe6188756dcde740122314e0578175123aaa61381809b382e7e676815c20c3e671a098f0f39810
-
SSDEEP
24576:ZQQa6Ne6P5d2WSmwRFXe1vmfpV6k626D6b62vSuSpZ:ZMfTVQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133539736697728533" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4552 chrome.exe 4552 chrome.exe 3104 chrome.exe 3104 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4552 chrome.exe 4552 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe Token: SeShutdownPrivilege 4552 chrome.exe Token: SeCreatePagefilePrivilege 4552 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe 4552 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 2132 4552 chrome.exe 80 PID 4552 wrote to memory of 2132 4552 chrome.exe 80 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 4728 4552 chrome.exe 82 PID 4552 wrote to memory of 2400 4552 chrome.exe 83 PID 4552 wrote to memory of 2400 4552 chrome.exe 83 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84 PID 4552 wrote to memory of 3364 4552 chrome.exe 84
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4cce9758,0x7ffc4cce9768,0x7ffc4cce97782⤵PID:2132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:22⤵PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:82⤵PID:2400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:82⤵PID:3364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:12⤵PID:2392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:12⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:82⤵PID:3112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:82⤵PID:3080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1820,i,14766675090639364373,11738210653095238354,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD50235cc41d4e91117462d95057e733d33
SHA10296c588f2b13533408b7aa56c0ec743927ee379
SHA2563e49e069ba3c61a09f181541ff066df696bc008528b15fe88e0891d4ac26cd83
SHA5123aa5c351b6d908ff9721385a3ae4db0b8459223f5ec6ca861f58efc05774732d6b9083fe4c0a7d84b24d93c862773ccf3955b5ff0d1c44760ffc5daad9a363fb
-
Filesize
6KB
MD5701a6d0e10096bee07492bdd81dba64d
SHA1bea2eaec214dd4315869031c72d5adbd8c91b436
SHA256e5ab7fa99971eb3f6a841e68709a18b1242e9987cb60e3a50547bfb3e61692cf
SHA512e5bee3a3cfdaa802c46559308bf0ac7817a0801712905d81e6d3afc7812177f7784f94908a959e7e1173c0cc9005cfa2814a3c29e9e044752c84b9b8a69bc21c
-
Filesize
130KB
MD570ff6e90b0ead5fff8f7aaa9c7387cc6
SHA18e3f488dba1606461bc9ad62f39f9d18fc0a0804
SHA2564fd3c4edb83af1a88c12c8166a4e5030eab625e9c013ba5d40ad879ffa54b8fc
SHA51280d4fe9d25dc610fa201e07368604e5dc50d23539d54b30358a6180f15634eecbe4d75aebd0013d6e4412d6f93b3bb7d4657fe0c658ada0152b60c95faad39c7
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd