Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 09:54
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1213306680360574976/1216087706157973624/nep_cheeto.rar?ex=65ff1cee&is=65eca7ee&hm=d41caafdff0a040bd7466f9fe527e2d4f34413855b09f46f92dc62b1d62bd14c&
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
300 seconds
General
-
Target
https://cdn.discordapp.com/attachments/1213306680360574976/1216087706157973624/nep_cheeto.rar?ex=65ff1cee&is=65eca7ee&hm=d41caafdff0a040bd7466f9fe527e2d4f34413855b09f46f92dc62b1d62bd14c&
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133545381078447204" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5068 chrome.exe 5068 chrome.exe 2776 chrome.exe 2776 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 5068 chrome.exe 5068 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe Token: SeShutdownPrivilege 5068 chrome.exe Token: SeCreatePagefilePrivilege 5068 chrome.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 1144 5068 chrome.exe 89 PID 5068 wrote to memory of 1144 5068 chrome.exe 89 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 4844 5068 chrome.exe 91 PID 5068 wrote to memory of 5108 5068 chrome.exe 92 PID 5068 wrote to memory of 5108 5068 chrome.exe 92 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93 PID 5068 wrote to memory of 1560 5068 chrome.exe 93
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1213306680360574976/1216087706157973624/nep_cheeto.rar?ex=65ff1cee&is=65eca7ee&hm=d41caafdff0a040bd7466f9fe527e2d4f34413855b09f46f92dc62b1d62bd14c&1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa84c19758,0x7ffa84c19768,0x7ffa84c197782⤵PID:1144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:22⤵PID:4844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:82⤵PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1900 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:82⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:12⤵PID:1980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:12⤵PID:4468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:82⤵PID:4664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:82⤵PID:2284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:82⤵PID:1512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2788 --field-trial-handle=1936,i,13564320205697589863,2164914801710548963,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2676
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:4804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50ac11a9d6c4640d6d74db483c6e4b305
SHA126e3e6913f0fd4c0c4d10b7c0462a6d9e904a1cd
SHA2569bf28aaa01c679d454f96f20b864eb4647598eb298912aace8b90ae3d27b87f8
SHA512e0707735ba401234d8a9c0a0f832df9627e98edfe1a01a712575ac4d97ddec0cff0da0ace0e3d0c282bed40b19a0e2b1293dec101d4e218f0571fb8f57989eb3
-
Filesize
1KB
MD5f23b1efc9a26a23415e084279fe1737d
SHA13585b86bb84d1139ee70b8001d5f0123117cdf5f
SHA256a72ee6122c0f40d06950063ea8a8a3e50030070e7cea1094b0eaeebfd743f568
SHA51291c36f30c9864edb5372b3140757613d628491a5e1b2c60095768b497916d2edcb9079f62cabf23ee2f9bd8ba0b055f438d53d7cc4b8eb9254db2adf3fe2c952
-
Filesize
6KB
MD5bd1199386b88ef7a62947413eea69f85
SHA14dcae9f30ecb4defb71dbe71e665a81f511dd831
SHA256c1dfa933ae102ebccbb98d36450508c84d85773a7decf5f4432febd87942bbb1
SHA5123953dc707624df589f1ffe994885443f0281216be7b79de1b720d162897c03f1d311eeaeb7825f3aa8c9265ca3846113cd17fa5e5b576c742f7f2fc23d80eb1a
-
Filesize
128KB
MD52c74f4559e01b5f937957b2b56670028
SHA1cad42baee083dc84f22d079ea06c7408bee05a8e
SHA256c8352421793a1e7d2cc4a0fb3c9a95807f34df56c9dc29eadc06bc3373fe172d
SHA5129a97c17e6f90e22db5b42a8d004c0c89689177f42823d9c4ec77ff61ea6813286ab1becabd87cbd655041121f5173b4c99275a373fb504fe1485a0527dfa44f6
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd