6f9f560bbc768a2328dc327cff11ad8532cab720db625bd74e44879d7edb43ff

Analysis

max time kernel
1805s
max time network
1813s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08-03-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OEBPS/Text/8-Extract.html
Size

1KB
MD5

71776a89249d4bc29a541bfcb122f470
SHA1

5765ef7524e45957f480e76340d83e1f558b3911
SHA256

68233dd1adef587404869d4e9e244e1bf86cdbcad3235206352bf2d573fc2f68
SHA512

fe289ea22b9bae8e5b2292ef3abdf57b884289eaaa13f27ef5298f9506993b49a5b079dc88d9bcf7c3eeb3703f7496ca03d0e28ebc5550aab821c42fe40cc157

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544020356255081"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
6104	chrome.exe
6104	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3596	2524	chrome.exe	97
PID 2524 wrote to memory of 3596	2524	chrome.exe	97
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1660	2524	chrome.exe	99
PID 2524 wrote to memory of 1112	2524	chrome.exe	100
PID 2524 wrote to memory of 1112	2524	chrome.exe	100
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101
PID 2524 wrote to memory of 1052	2524	chrome.exe	101

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\OEBPS\Text\8-Extract.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff02b69758,0x7fff02b69768,0x7fff02b69778
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:2
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4132 --field-trial-handle=1884,i,7736283759500897122,18276921981929484887,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6104

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3508 --field-trial-handle=1988,i,6364296261504278587,14971789135277820488,262144 --variations-seed-version /prefetch:8
1⤵
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3020 --field-trial-handle=1988,i,6364296261504278587,14971789135277820488,262144 --variations-seed-version /prefetch:8
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8fc971d6-9c19-4424-b5e0-c4abdbd08af5.tmp

Filesize
253KB

MD5
031f9fa24f6e769de267e9c383ec914d

SHA1
84d77adb03be3bd1e55cd25cd1b151acce09a29a

SHA256
a4e4ee02e33cbb722f29242425629f2a87cb94a2b334ad802106bbcb1370cca0

SHA512
0b66887dc54b96345002f172bd56ae5ce229d9a7d46f8b31a44e0b36b0440e0d2594779cda9ac559666a6a47b2c0206a86077aa1a44dc74becfd21b6cf30234b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
45b4731c02c7f7d50674ddcf7021595f

SHA1
8ebaa1a3873bd2cd8089b177cc62c9388b203d9d

SHA256
119b1cd5d2e12be130b0a803b22c1f6097e856a74d7f78f85807fe0f895b8e6d

SHA512
7a05c47001a22e64fd4aeab5f822b43a9e010a679ffc5ed2e965cc84b7d25e44b7944179056ee021878e2fda19c5f72e8d510ee89a7c4a0191d098ae92313c47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ee8367bd7a4d8a61744ae1d9a2a1ec37

SHA1
ec75b702efe1c6f0276a49696ae068ffa47852d1

SHA256
969371e41910e734db64885c845f875b4873a79e6dcf43dfcf299d1c00d7fd66

SHA512
3c57fc2b42d8f5f0595aa77f6de469e545a92341a33d7045534b828b0d8a9edd3ef5d3a9c32cf42b6702e3e38f96999dfb7d4ead2adedb9d7f3ad6eb6067d209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3b40ec2007739c0f917b5c6fe4bd6bce

SHA1
0d4324b71de9c64e55a959bf8b1800dcdaf841fe

SHA256
b5839da890209ac40e134e069212ea4408745f94b5f35f241482c70f999713c5

SHA512
d55c0b5fd6643819eb9a33e70c1e59b5a216dc6d4354e1724d049cb60d76c0d3ce6f3244a6f12d146045dbcef06bef332fa5d1dac4484514c008ca404132e460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit