6f9f560bbc768a2328dc327cff11ad8532cab720db625bd74e44879d7edb43ff

Analysis

max time kernel
1805s
max time network
1808s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08/03/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OEBPS/Text/1-Cover-1.html
Size

760B
MD5

af9f3f7d5f538277c14dc51ce7d0b000
SHA1

254a93494f8e313ced45ebb677400f010262af69
SHA256

897ac7dfcd9e3d9c303a328925574274f7e611b809984496e102f225bc8d7916
SHA512

c01bf5676240add4c5c404bf79df5b3bbe9ab62117eae52b7141f94a8c0af0609aa7dd6da21b87d00141379baad12d409e97eef16730e52f882bae996144c994

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544011645829674"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
932	chrome.exe
932	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
932	chrome.exe
932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 3064	932	chrome.exe	89
PID 932 wrote to memory of 3064	932	chrome.exe	89
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 4044	932	chrome.exe	92
PID 932 wrote to memory of 3636	932	chrome.exe	93
PID 932 wrote to memory of 3636	932	chrome.exe	93
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94
PID 932 wrote to memory of 2620	932	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\OEBPS\Text\1-Cover-1.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86df29758,0x7ff86df29768,0x7ff86df29778
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:2
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:1
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 --field-trial-handle=1860,i,14194225538497070211,8903975068427524515,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2236,i,3767879903388292704,1374608533225245713,262144 --variations-seed-version /prefetch:8
1⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3656 --field-trial-handle=2236,i,3767879903388292704,1374608533225245713,262144 --variations-seed-version /prefetch:8
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
60b615c18db3dca39269390c9cad5534

SHA1
14d13cba7235ae34ac245b49f573c1446b74b5d4

SHA256
085270eb7b52a100e10a227467cb8fb471e525bf5e7bbe1b93163c14dd56872f

SHA512
e1173eabcb1a2b91f83cbc3f37bfd34999ca48abf8e9ccab59ba010357a5f1b9d011c08124e5ef29a7c8b9b39808f2de5ee8f849713e911ea8d8a9937faf9576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
984d5dc0b93feb557cb673eef1e2a533

SHA1
29e233820c778b8c28940c9c81912e221c084910

SHA256
9639d1b25f4769f39cca0f23eb02811e30e10ed4d29a17ecf8541155cb2eaf54

SHA512
7837f26a1954d01089f49e13141b1a72ad76d604da6d9761eb624baf5fa54a62da5c828314d8baf1f80690926ce59e0d1a946e90c906f20673b18b78a6fb2cfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
395db38acfb631fa4dee10446e73902e

SHA1
00e65a9d3d9bbd822eaf8dd4c3b7df65dd524319

SHA256
2f07e2626175a0d051d0b01fdd939d7595cb908d10e5139b460f7cf63061fb52

SHA512
fe4899eec01aec3e51842691a1ce9dabb71cf89e52ca1c5405d81f27cee87a10433161cdefb6009c68a94d48c041d11e96fe6ee6ef2c92015ac1a5d6f2807d6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit