6f9f560bbc768a2328dc327cff11ad8532cab720db625bd74e44879d7edb43ff

Analysis

max time kernel
1799s
max time network
1691s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08-03-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OEBPS/Text/6-Primarchs-Content-1.html
Size

30KB
MD5

39f83e036369ee8a936a686f161dee22
SHA1

916a226bd32fcfb30f05aaf6af38bec4ba24a207
SHA256

87f17b9682bf23c7149ba2ffa250b065115d6f9de58c74958f1c8ec77bc1e0a7
SHA512

1486db526feb5c9e80905fbed57e8ec5e7e3fd7cd5e112b6918c7510b71392b67bb9b3ae40d397d246a0cb330e1ea574bd715ce8a48c4b9ebdc4307cbe402069
SSDEEP

384:PTLHH3C/7r1TMSRORVdPY9e/Gw6qcZFj+NumuZx0a1A9v6HlQkn+Tyw+oEdS4WGp:Pny/duRcHf7ZFquZZfAqIn+oEg4SFWv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544015012639090"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
668	chrome.exe
668	chrome.exe
3412	chrome.exe
3412	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
668	chrome.exe
668	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 3752	668	chrome.exe	87
PID 668 wrote to memory of 3752	668	chrome.exe	87
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 3844	668	chrome.exe	92
PID 668 wrote to memory of 1496	668	chrome.exe	93
PID 668 wrote to memory of 1496	668	chrome.exe	93
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94
PID 668 wrote to memory of 2440	668	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\OEBPS\Text\6-Primarchs-Content-1.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc181f9758,0x7ffc181f9768,0x7ffc181f9778
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:2
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3800 --field-trial-handle=1936,i,7565763578412313158,5638976568842273264,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9d369599-fd99-4d6f-8605-b9ff824acb6e.tmp

Filesize
128KB

MD5
97f54f7502cd2e23f166c19224ba01a2

SHA1
a05b3b6668cfaf7b518bc16bcc25572413e3f6e6

SHA256
1bd93443080785f4e75489e18f8a704614a2f5187ae1d04cb816bd53097ec94e

SHA512
68f1e7597737d5d093707e3df048f98344b2b274c4890a3d6e70a08a62a04103f217a3740e8118f7d4b08a39760b3badecc76bc5ff9f90e15c28b1bce7cc9710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\61f3837d-d2d5-40c1-baf8-be5fa8065141.tmp

Filesize
6KB

MD5
aafbee20f73e73aedb2ec09397fe7886

SHA1
b391f2b3f37eedeb4ab9a0ca73751c9fc04bd7a9

SHA256
8350b6f8551928546179dc9dbaaf8ca11b6ea07dfbc8ae11df32fdf7a66ece43

SHA512
a0c86c1c94b2ad564295caa0f9ae0c61b641df95d5092eaa88b61be9b53b7d6c90d3d13f385784c340d48fd0c2b932cc2d448cd74e33292653e50e9c3e31bf4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a38e9e676be9c70974862796643b9659

SHA1
45ff949b3a4d66ef98e7eba6576793d45ece2901

SHA256
d92e61b146d0d1a3313c0cd9404d86ac2920f2fd9dfa837c080767e6f173b872

SHA512
7fb9b7cd43247b2be2482a89bc9800a7630a890cced9350971c133969e3f9291fa317247325dc75d40b2d3dab72923e43a88bf711e46b40904496348e517b61f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit