6f9f560bbc768a2328dc327cff11ad8532cab720db625bd74e44879d7edb43ff

Analysis

max time kernel
1799s
max time network
1809s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08-03-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OEBPS/Text/6-Primarchs-Content-12.html
Size

31KB
MD5

b01648cd161c0edd1c55b83976c778c4
SHA1

b4615c7936309ee97e11937abb74133191c97072
SHA256

99c55da97a57f9e20115029ddaa4ca09082b1cccb6e9441d09529632fd16c833
SHA512

83ca398c0c680f0de6d1fd0b141719101583a00d3fe4aa730d263efeda663151d5dccdf14b76744c57c4ae57244e4e178886da8b0767a3c90558f4b8ad7a9255
SSDEEP

768:PUcm7+Q/OfGSRHal8+wMp9iFJLKhv4VkcXeawN:PUcm7+yOfX6lKMp9kC4Vkoc

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544016417343272"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3008	chrome.exe
3008	chrome.exe
740	chrome.exe
740	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3008	chrome.exe
3008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2704	3008	chrome.exe	92
PID 3008 wrote to memory of 2704	3008	chrome.exe	92
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 2004	3008	chrome.exe	96
PID 3008 wrote to memory of 3552	3008	chrome.exe	97
PID 3008 wrote to memory of 3552	3008	chrome.exe	97
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98
PID 3008 wrote to memory of 2444	3008	chrome.exe	98

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\OEBPS\Text\6-Primarchs-Content-12.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b4a69758,0x7ff9b4a69768,0x7ff9b4a69778
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:2
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2628 --field-trial-handle=1828,i,17020522644496562855,4189555032640187346,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2244,i,4088750094024149723,14939136959417447016,262144 --variations-seed-version /prefetch:8
1⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3468 --field-trial-handle=2244,i,4088750094024149723,14939136959417447016,262144 --variations-seed-version /prefetch:8
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d218d1ed5002e3bdf1ce0ce5da32468

SHA1
1cfda7b2817771e97f0c4367ceff52a079c678f6

SHA256
062f49aef7dbafdd8f8c440e2f80d8f5658e644262374b942666fb21635e1142

SHA512
024d501b058dd345ebf6e63a4ff97cf03d2582de8eb94abe921eb3d4aae548b9575cb33824e7d45df47cc5ea8a6b744d65b5c7ac62414b007a2605488f0e9fea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ef8a2bb09290ee0b3ade37db77d4f6ef

SHA1
778cfd1233f6780189c034b5e71c71ab8c3e9f69

SHA256
182a6694106790f022b657cd3f2290bf47e975983b1fa5cdbefee7a61462d785

SHA512
d4c52e1d45055508d191bddfafd99668634ca668fef3c4a86f69e19f66fbbc4d1fbbb69345331e0889c3e242cf543d924b2934bab3260cba857c7efb76d502ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7a6ed81fb51e7e7c2f30eb8de995d8c1

SHA1
90be00757fe9f42d8754ecef6c0b46e035ddcb9d

SHA256
48616e5af878acaef6b54b49afaa03d58696c05f1da18d9039ab717857824cb2

SHA512
0a12aa0f3c8cf7dda1fa1dae64bebf87185c938b251d4e6a7831ebbcbd8af43af89404c332b374063b41d1eb0ee876e9d6a4a73c402c012a0b5a7a0f48b974ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
c8b51cbb03c9798f859f0208e2abbb6e

SHA1
84c7af7a6d4b359a0f2c62dcf8067b1a690d2628

SHA256
162daf881d2e2cd01f6e77fae167c85ece5c1850ad0c4657cad348c2ce74437b

SHA512
5121656017ff5ec0aa0d410dacbdc3accf5a4b25a83303199f52bf16bf59f747eb97b5a7611e9738d660dcdd982415723c8baef389d757a76211e3d2cf1421c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit