hxxps://share[.]multcloud[.]link/share/9d20dc86-2325-46ab-aee8-8ebc1b786ca3

Resubmissions

07-03-2024 14:56

240307-sa3wpseh3v 1

07-03-2024 14:52

240307-r8y5qseg6v 1

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://share.multcloud.link/share/9d20dc86-2325-46ab-aee8-8ebc1b786ca3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133542970105633743"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
640	chrome.exe
640	chrome.exe
4508	chrome.exe
4508	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
640	chrome.exe
640	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe
Token: SeShutdownPrivilege	640	chrome.exe
Token: SeCreatePagefilePrivilege	640	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe
640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3944	640	chrome.exe	89
PID 640 wrote to memory of 3944	640	chrome.exe	89
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 4768	640	chrome.exe	91
PID 640 wrote to memory of 1992	640	chrome.exe	92
PID 640 wrote to memory of 1992	640	chrome.exe	92
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93
PID 640 wrote to memory of 4524	640	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://share.multcloud.link/share/9d20dc86-2325-46ab-aee8-8ebc1b786ca3
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3c5c9758,0x7ffd3c5c9768,0x7ffd3c5c9778
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:2
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5112 --field-trial-handle=1864,i,1622274782670944700,7788462017053394138,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
0a29837d92a0fd3544d5165b97b5a806

SHA1
71a3b613305ae899ee2a2073ec2b85ffa1ee63ef

SHA256
1f74b0c71d872d2aaecee94ad9fc754f51dfadd34cbd45147d06d8fd223c27e7

SHA512
dab4cdea61b78354f1326695aa5e1b1f1dcc77794138d31f1e44710a5b0c0effa1e0663779bc81d3179f0522c5a278577da55acaa1073234e5028bfd2c246111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dfe5b11776bb6257481abc49a64f6403

SHA1
a5dda9121b3d09c644638bb1c79d1832850b7f5d

SHA256
e6ac7e3f428625db0d3fb06ce8b71d6a130b167545b83d853388f02edf42330e

SHA512
3633e806f592eab25d6d32319d2e61fa10912b91066b3ae471835bf7e94df941b79155c5daf4e7ef6916c828169345f3adbdd33b52901607840ecddd1bb59e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e0e0bd1c15eee259986d504624c96d22

SHA1
9516fe216cac6a149163d423204e9a00b961a19a

SHA256
7f0780009f6ffa52f40a2c231fb7824446dff251fc9d14398f0a8a343651ebff

SHA512
fe7c6880233455f61f7989536bd9643573ad2530a4633f6081189ca4cca6d40627c7ea026ce6a0b6149ecc6c9c52966cd1135dd7d780fa058706e23542bd7726

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
6a65dbd075ca7f93acb9519c2b468c80

SHA1
9ceaa3adddcd00d1c7e7ff18de778d3df3bc288a

SHA256
9c15c116cd0bf590680a99b106931e0af084ca1a4f641c48f655019da538a070

SHA512
aa5a8019b19646af72d85511539469c6397f6b7489b5247973ac06b8d55d79d306a4e5a73ddbb22c25c58dacef4cfc5d8cae2863207c46160f50c2587fd3a5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
85e997fe3a7e41ebef1bd64cf0801945

SHA1
2905a27dcbaabba23337f839d77b79a2f6206a5c

SHA256
561e61496ea7579679e878aa718f838ee0ca0aa5181ab28e38e08b64d1fb8a18

SHA512
a53acc9c916d1dccc834677d795cf7a7906445ea338618e7b8bc92a9643ea6ecf7a1293ac13ef5074f4819d21e0d68657b7c898228de90526dda0686a599f252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
99ba9df747e4c2d8733b996886a367fb

SHA1
cd42cf0e0735663f56904d9c2e50a288238b6ffa

SHA256
d38742a259d9a569693ead1536267e574785af543ce79b325a80e003a9bb43ee

SHA512
3977fe319524466827918214234f7a57617e811b429733cd9c4206329c2e4b24895621fc5c47c36c16d2b7aa9f20ea308857f9d67d0d8180ef826672f1aa44b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
648f170fdb652016f3c1453d98f4359a

SHA1
851353a392f86d8c16a1231ec28f79473f8df54a

SHA256
b00c551ad0fa2cc7c75c3d0c395f83f60a87ea22b2925172799baa82d0981642

SHA512
75cabf14ff60efebee6bde1a05b09f03a219f6c2864867a938274774ca1915f4b8c47665fa21a7584056c56cbc2a78b957e69268e2a4d94c57e295456142cda5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit