hxxps://drive[.]google[.]com/file/d/13nOiQ-ZztAH_nnilBHPHtCEZFDgEEoMQ/view?usp=drive_web

Analysis

max time kernel
43s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
13/03/2024, 15:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/13nOiQ-ZztAH_nnilBHPHtCEZFDgEEoMQ/view?usp=drive_web

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
11	drive.google.com
12	drive.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133548190980082331"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{4B0078AF-EB7A-4140-B46E-E451967B4160}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5048	chrome.exe
5048	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2984	5048	chrome.exe	87
PID 5048 wrote to memory of 2984	5048	chrome.exe	87
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 4252	5048	chrome.exe	90
PID 5048 wrote to memory of 3940	5048	chrome.exe	91
PID 5048 wrote to memory of 3940	5048	chrome.exe	91
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92
PID 5048 wrote to memory of 4280	5048	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/13nOiQ-ZztAH_nnilBHPHtCEZFDgEEoMQ/view?usp=drive_web
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ff994789758,0x7ff994789768,0x7ff994789778
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:2
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:1
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4856 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5144 --field-trial-handle=1876,i,8958292721607950821,14777129724462314787,131072 /prefetch:1
  2⤵
  PID:3624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
2a1efaa6465eec53ff333dfd74931818

SHA1
d9666bae4876c256517afb684597f35b171a2058

SHA256
272321abcabf8df8630a4ad52620cc7cdd2ef02d7eac09f206be03ce0d15c8ad

SHA512
065a747204df4573df8dab07d575250550c170079404f72233c75fff8ceec3c8cd54cedd1de48c037e1a36e1645be73ee334dff6db6c943108a78acb802be25d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
bc1469bbd3b8196f6021c21f29b319cb

SHA1
8f95dfda63423e0fb447c420f16ca6fed5470fe1

SHA256
52f2265be82f3555690e140f8141451d360ab84a0ff8a11b8e413e67445b206b

SHA512
2bf9e72c04d40694c4886a34c9dc8b056fef42bef4afd5959d50f7c4646b8eca39be3240b4b92055d271a53ef15ac319c11ca0d3fb12e75d07d028192032c58f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
cbb5766b01a3506f074b9a217f1f68c8

SHA1
5549d84ffc0bbc57fceea911502f217018374f15

SHA256
f3b26d946f2576a0744bfdce530d3f9e757f3b7fb60eb9c9d51317e76f60d3e8

SHA512
fd010b7ba3b24d8b90e1565d9ec484f86b9ed2fa248ec25f9026d55174bb96b2212c0e8d5aafa705efe2e57b4266c4174f82b615d1431fa8bf493c9bb6f7e13c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0cd52394a450ab74847794ff7a6619d8

SHA1
5266b4f707f2550946e212382627def01c78fca1

SHA256
43dd4ad1068f46dd4433ff0b6feaada48ee3c4c3dc2a7a311a17e31d11cebedc

SHA512
8c438798d4bdfc33446ac5ffa11a84c07c358159fe4f6b0bc094da2889f7bcda10e39d2f73e713d2f1d35d7647eb044cfa8a5214dfe05f1d9545e43aff92777f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f1c3a72aa1f149412568c4fc4207aa6e

SHA1
8bb783741e2a5f648766399a5b463bc652cfc93f

SHA256
ddefd0a4d6e970d4c033a86188c20c55266e15d4b9ee52830f6948265b441dec

SHA512
7895bf6874b3e002d0968bc971f23717a7c467591430bbcaebf39b390d714ee5d7b0b92d46fbfa46c6a2f2bd2969ece3c42173b23aff7e9220bfe22e678ccc58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
3de52d03d48c68b6a5538f692ec03414

SHA1
bff0454fc412fb0e75e7e93cc9ecc2cb69bd7935

SHA256
8568f190d9b51d68b1af2a0e9fe33a7c59a432974ab166815767f4b535febc62

SHA512
b2c0a16b5a7b10337c84dc28f8a721b9c72a42f4bc91d5ce65dfb43b6f6c42acb5fca0b8e1a12c6d0ba42e1b53089f55f372e96c500d77f3a105b1c9357e5600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit