hxxps://cdn[.]discordapp[.]com/attachments/1201473226614788217/1215747021483282442/A-Photoshop-2024-963117[.]zip?ex=65fddfa5&is=65eb6aa5&hm=b9ff61831f80a6d98170a00083591b80e41f478c2e46a517a8f55f2e43f7a01c&

Resubmissions

08-03-2024 19:46

240308-ygyhfsfe3t 1

Analysis

max time kernel
33s
max time network
21s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
08-03-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1201473226614788217/1215747021483282442/A-Photoshop-2024-963117.zip?ex=65fddfa5&is=65eb6aa5&hm=b9ff61831f80a6d98170a00083591b80e41f478c2e46a517a8f55f2e43f7a01c&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544007890458439"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
3644	Setup_02026.exe
3644	Setup_02026.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeDebugPrivilege	3644	Setup_02026.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
3644	Setup_02026.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2556	2372	chrome.exe	72
PID 2372 wrote to memory of 2556	2372	chrome.exe	72
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 224	2372	chrome.exe	74
PID 2372 wrote to memory of 2132	2372	chrome.exe	75
PID 2372 wrote to memory of 2132	2372	chrome.exe	75
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76
PID 2372 wrote to memory of 1560	2372	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1201473226614788217/1215747021483282442/A-Photoshop-2024-963117.zip?ex=65fddfa5&is=65eb6aa5&hm=b9ff61831f80a6d98170a00083591b80e41f478c2e46a517a8f55f2e43f7a01c&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7ffb8ab09758,0x7ffb8ab09768,0x7ffb8ab09778
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1876 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 --field-trial-handle=1672,i,15481032113724238160,10149853267476704729,131072 /prefetch:8
  2⤵
  PID:2400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\Temp1_A-Photoshop-2024-963117.zip\Setup_02026.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_A-Photoshop-2024-963117.zip\Setup_02026.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
830b5553a680f9ca7d55974af1b0d570

SHA1
bfb3bad359f64f6583b2d909ce21f0b35b226235

SHA256
fca8114c27732ee3921fc3ad8a93830532b3ef7d900ac27bb2a10456b2a3115d

SHA512
3c94fe270309d005d696f542f4b23217cc1950c6a1b8db4243f28fdc70d2b357d17051a894a6927140db332cb96d8a6dbbd521b4ffd86104b1a012b5c4ae1ac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6cd61758b618ef64e3ec8ec5a225aaef

SHA1
5d3f58012f2fb146e24e8bea350ad1e1714a3aae

SHA256
fe12d09112eba93280cef0d40e72e32f145007cdd9753109bd74aae37a138b27

SHA512
be649dfb23fee097c2dd7e00e9cf5e2853b3a9deb558748b3d105506996206779ccc509f238b34d4f432cab045102f06e7050b0fddfe950edefd615ca8fb4d0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a06a8192b64c7acc49722a7f90e7ad86

SHA1
14e3078bd978992f9cb5338d95526904ea6643b9

SHA256
3b5cf6ba14a0879db81e902f998ec634ddaf07c850b7d19c0f84efc26e71f53a

SHA512
50d46124029bfbc9c3542a5bda81e8e93773acd6f9446dfa8971b6e7a584635c4fa6d189bc178e13a89415ac3b292dac2b5de793f8510bc24824e865dbe319f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ab3bc4b3331a3b056f9c2f0e18fee164

SHA1
2d51e13ef5eba5716c86b7811298acaab60d2a7f

SHA256
2070e09500472146b123bc07bcff23c8264b883c417719cfdf1b65da7e908efa

SHA512
f5418d2f98e2fa90b36982f666fd6d1586326eea8aeb6b0afc0514482da321be9bc670dbace6f8d1a37212e55a6b54b936b2e036829ea2d8c23fb7f9e905aaeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\A-Photoshop-2024-963117.zip.crdownload

Filesize
14.1MB

MD5
56524dcc3dafb8bf5adcabbc5a09df03

SHA1
aed26d5b35be085d63e323fa2e18c9cc41e5fe9d

SHA256
40fb37c67d5e0dbc5d517bc32c86785048ad343bedebd94bbc47262da1a25afe

SHA512
b9279c5477801b6aa77815cc26389a3342c903421dedafdf854e077532b6fb1ff2a621555660d3c699843d21c98afd5c8b9826b12d8a4d61a1fe8b6f23efb893

Download Submit