6f9f560bbc768a2328dc327cff11ad8532cab720db625bd74e44879d7edb43ff

Analysis

max time kernel
1800s
max time network
1698s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08-03-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OEBPS/Text/6-Primarchs-Content-8.html
Size

24KB
MD5

fe2e2646119db8c5162f290939d7be50
SHA1

af254c9cca32f4f159318d46a5315730bfffeaf1
SHA256

f60608301559c8de1859472524a0851533d46503afbc54273d0049d8062bb312
SHA512

3b9c263248aa608e0ac396a6e1e2781ff0415013e9741ab9faddcfd4df80c388e61b83f88549edb0e752dc9c9d90b2fcab97ce51e6df6fce1230d1a98778de7b
SSDEEP

384:PT0KMQurLDUOLXf3iqIQ6qMr+0b2tyVpEXrF+lDZnBz1BOoQyH1Ya+w1TGrcsCB:PwKUDUOLviAo2hQllnBzOoQyqWGrcsCB

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544017652212640"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1980	chrome.exe
1980	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 644	1980	chrome.exe	96
PID 1980 wrote to memory of 644	1980	chrome.exe	96
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 3528	1980	chrome.exe	100
PID 1980 wrote to memory of 956	1980	chrome.exe	101
PID 1980 wrote to memory of 956	1980	chrome.exe	101
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102
PID 1980 wrote to memory of 1264	1980	chrome.exe	102

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\OEBPS\Text\6-Primarchs-Content-8.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa297e9758,0x7ffa297e9768,0x7ffa297e9778
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:2
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3556 --field-trial-handle=1864,i,16376415679421799215,1551545079825982169,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=6112 --field-trial-handle=2004,i,3518780201612530827,12523116488201166376,262144 --variations-seed-version /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5528 --field-trial-handle=2004,i,3518780201612530827,12523116488201166376,262144 --variations-seed-version /prefetch:8
1⤵
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3156 --field-trial-handle=2004,i,3518780201612530827,12523116488201166376,262144 --variations-seed-version /prefetch:8
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
070da8911c03a264155ea77d346d846f

SHA1
77c82965473c3e74de8d8c3d22c520e85d31b79e

SHA256
42116292c0942e390969da0a3c816855a1d6c16b5d7c2625a3a835eb80bca103

SHA512
04977f0b8f2aeabd98a16cf50cf5b818d2fa8381b4821deb5b5c929cb26f07cfae9629bfd513b40df77904d5bd5c0e913a42d508befeedcaa5d796f4b3113db1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
aa50d84613e3441447126450b577fca9

SHA1
2fb3123fed69422e2cd702007c303f09ef7c7f1a

SHA256
d91a099caab8f5f74304acdeb5e4f003d9c33de55a1d8ebe028294adf06ed76d

SHA512
0a303c2d9bc759e6d7d7611f60e161ad85d56c8b94ca6ce4318535b89d4ad1867b8ef9df76cbcce1cc0b690056e5c352f44b4f7e958782a70f5bf08c01d76f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6ed9a5b93c22409c5ea5d2a50fa8a429

SHA1
68ef5769baaa398dd71349400b44223cd7157b79

SHA256
6d32aeb1ea74355a56033c75fb44991939615b096ff019b928879f66607fc532

SHA512
764d237af4e23915f1ab0943d4034caf8c0b74975d8f33849a90702ddd62fe907b6edf68a77840c4a148614a189f8b5db8455ad332e4b347734b8b40152bf490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
66b3c79fdff0543e654e09510b279f13

SHA1
01eb546ef1b95b453ddf83b0e517dd10de916b88

SHA256
bfb2a57d4519b8f19403e5aa5327c53a741f399903718e0dc685992d7f82ff4a

SHA512
cf1a26620a5e4d04ea5b54145adf60cc680f785f42831f627910980ab040da3390a66990fca48bd3a07fee82316e58afe8ae77f9832334f0736729244af52e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit