hxxps://drive[.]google[.]com/file/d/1DX8UssYGJTZ7yfcj-HtBMuq8ByQUPBps/view?pli=1

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1DX8UssYGJTZ7yfcj-HtBMuq8ByQUPBps/view?pli=1

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
1	drive.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544397439581871"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe
Token: SeShutdownPrivilege	4168	chrome.exe
Token: SeCreatePagefilePrivilege	4168	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3908	4168	chrome.exe	96
PID 4168 wrote to memory of 3908	4168	chrome.exe	96
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 4860	4168	chrome.exe	99
PID 4168 wrote to memory of 3196	4168	chrome.exe	100
PID 4168 wrote to memory of 3196	4168	chrome.exe	100
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101
PID 4168 wrote to memory of 2652	4168	chrome.exe	101

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1DX8UssYGJTZ7yfcj-HtBMuq8ByQUPBps/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaee4a9758,0x7ffaee4a9768,0x7ffaee4a9778
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:1
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3256 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4480 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 --field-trial-handle=1856,i,10767022997760375038,74178418646007654,131072 /prefetch:8
  2⤵
  PID:3332

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
a542850c136e6eec299023dd28aa36ac

SHA1
dfc6e82b20eb7ea07e96770cec4821e104e928e3

SHA256
bd3863cb01bff285a8e744af74c9945c03cffdf3c1620170de182171c2f2f237

SHA512
59c59104a6d40406258532770c3a42882bf182a3f27f9f66f75442ce3309eec0037f3874d247c5c41a2bad3d6e6153e15bf3b52ec13e3331eece3ea93b3b98c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
58ffcf357a54b31b5f938d030198d70a

SHA1
a5b37f5e3d0af5c312021521b44453e91e73ea67

SHA256
e2ab5be0719f7d28b06f8140c305fc7d8ec9748c056a16d6f85b2fa0cd782c8a

SHA512
8104bc9972166403fb419d143234614985bfc2f2cd030f6966e410787925ce31babb7ec33f8d6bb4637c27ef63b005b98c8efa4ce43b51430f40ffec3ab98fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1021B

MD5
8321a07b09b3bcd8b1ea986d22eb2929

SHA1
2a95ee042409545aab196269639b0e50bc587b1a

SHA256
a93d026a185a09bfccd7a25a49b7a8ad5068becda3e0d63d6bb80e8ef964d177

SHA512
d5e6fd37d710c03f8bc3bd13406411986a2d3cabae82e4cab9e15d85ef0c895bb123063e89c0423220cd22d57c49a14e7f73fbbb527bdfae427d9d4c99a281ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3ce7c762d26df6105c09beec37a0311d

SHA1
546b157dce1ab3c9ec7cb9e8b03c16970c110a63

SHA256
8061cce309610c66498f4e5619877cdc6764f06349027af7156ccf498d294f1d

SHA512
67923bcad1eb04d500e3ebd336725a5d76af5c105d20cde506ee7b7d6edf807764824e0c8f9cbc48795dc030a5a421be3d016919d899e436a3495a3632b5538d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ddca433f-6a13-4599-aea8-abec024a80c2.tmp

Filesize
6KB

MD5
7dbed937779985be41d7b22b907f84da

SHA1
616c17d79c0217f88afba88af462e16401a113be

SHA256
06048bfcfdbf9d7cf7b61b76a6c418e3573794ddaf047e5e345e1200e99c0133

SHA512
f6b5b74513062144543b4e1e75ae988736f5556cfbe5f42f298e594447ad04451f2591294abf164022cd1ff865b1faef25694da363ea093474fe9aa40863a398

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
affcdc58b5e3e8aeb4baa231bad55b52

SHA1
2cc2910605a2bce4cdd48297a7893b12d3ddd108

SHA256
679eec8cf30de2a907ce5630da6f34ad077f7bfa6b7ce4be108abf2549e62e98

SHA512
1083de3299bf033f635f9b4bea2909b1dffb96287b433d6623afcc9add0c8f105f34b129d41d0344e83a4edbc25dc0b656303a3a0f01b1de473adf0195021711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
acb150374b157e835bf180dfcced43a5

SHA1
5543c537570ea2e5df879d0631ef1098c305e3ab

SHA256
39e9d2754ed8127a9b0247c95db6af84e10faf389f5a52be928a6d63cfe42e89

SHA512
55c206aa02d56383488ec4b0fd9bff3da7f800a8b15e4ec88e09981648084c5c7b9693b478d239148de7623c5814728cac78daeac8492fc81228145f570d5599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Steam.zip.crdownload

Filesize
13.1MB

MD5
0da1a066700a26b0989df109837c2346

SHA1
6a59994d33519e2475a963b9372d6626c6ae3207

SHA256
ef6e87e5b5b1ddc9585659277789cdb080020059f8914a0f7832f4fcca8ca9a6

SHA512
be7e1df1055c69ca1c425e7a1e74a895207d97aae7672f8faaf56986457f7b84fccd91e8e6a771f8f3a70a45e4254e45b1a6adefda5625175ef2a77278db772b

Download Submit