8fc3b1fa5ecb087e05099a67e7b39a8b452830b2e36c50a1c2c5f179c74e5402

Resubmissions

14/03/2024, 22:37

240314-2js8asbc83 7

14/03/2024, 22:36

14/03/2024, 22:34

14/03/2024, 22:29

14/03/2024, 22:22

Analysis

max time kernel
41s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20240226-de
resource tags

arch:x64arch:x86image:win10v2004-20240226-delocale:de-deos:windows10-2004-x64systemwindows
submitted
14/03/2024, 22:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sscserviceutilitiy_4.30.exe
Size

967KB
MD5

51fe74106def0860fa5c15f5711fe298
SHA1

4df1243bf6ad0c3e0043eadfca7458c20721e1a8
SHA256

5707312fd6972376c62ce4703e87c349ea40d527a64d58a5d2cbe060c19b558e
SHA512

40527d0671162a690fdec49004c7127519ebb00a38f3baa778a1faf2a8d19c8b4a96ff539541f9da8db14d1d24e6fd3ef4fcec5aef36a93b4fde843ac2ae9538
SSDEEP

12288:EVcSgU/RWy1jHJaKVvip+u7hK0f55R2MES/X5qX2uUFEVBxmh7KK/cUr8P5oQ:EVHZr1jJasaKKTwX2KfI/nQP5x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
6080	INSE0DA.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133549294753314925"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3292	chrome.exe
3292	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeCreatePagefilePrivilege	3292	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 576	3292	chrome.exe	99
PID 3292 wrote to memory of 576	3292	chrome.exe	99
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 4372	3292	chrome.exe	100
PID 3292 wrote to memory of 3668	3292	chrome.exe	101
PID 3292 wrote to memory of 3668	3292	chrome.exe	101
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102
PID 3292 wrote to memory of 1600	3292	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\sscserviceutilitiy_4.30.exe
"C:\Users\Admin\AppData\Local\Temp\sscserviceutilitiy_4.30.exe"
1⤵
PID:2428
- C:\Users\Admin\AppData\Local\Temp\INSE0DA.tmp
  C:\Users\Admin\AppData\Local\Temp\INSE0DA.tmp /SL3 $100046 C:\Users\Admin\AppData\Local\Temp\sscserviceutilitiy_4.30.exe 982896 986310 61952
  2⤵
  - Executes dropped EXE
  PID:6080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfcff9758,0x7ffcfcff9768,0x7ffcfcff9778
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4660 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 --field-trial-handle=1804,i,18401721723468212432,4345672460207345511,131072 /prefetch:8
  2⤵
  PID:1164

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1a2f2a6e57a60542b565ecb4736f19b0

SHA1
2958262ad19087390bcc808b41d50ae61a31ca6d

SHA256
adcffd616812f58e9fb4be08021fa48e29b36fac73c572faa0cc59b9d5022bec

SHA512
6bd84f9201beefe2750f3a9513317d0a092a7e3fe8c1d4f926f8184bb7ab0f59337b20a44156dc4b6ce53ea0ed41bfa15c1721409b235619931c7a3e745c1fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2d6d31bf0507057b74d20c3461cd0ef2

SHA1
6b3d79241815d4aeead5437050b42cc8b725009a

SHA256
255afa637904e999cf66d1d6de7866c08c82af86b53133f975a8dc89e790f78b

SHA512
f5d2fd8c2d97a8fb707d333cdb7670e02072102ed3c0ed66e613887b8091329f09dcad1ebb3619a1c05415e716a3a055bfa83b954808fa056082a07ef44cd185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d7416101fb9fce62a179d09f4268a7e3

SHA1
2b362c09d7a13ca226aeb801c9917649329351e2

SHA256
2ac2e2419f5764d26fe66b4e2fd2e0e8c35051027a3f04e1154db70293996d41

SHA512
5714f7864a4c57d6f7acedc4f60f6de3dd4c499aa2ef76a1cb4120a18ce79cda5ce9c42b7c19bf1e98aecf829102e59bc368dbfb664a3ade7e3821bfc2b1368d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
a5348fd65b82f30c8c34131a53d7afea

SHA1
fccd6f33aa6993385ef38db2eaf9ebcf1e45b175

SHA256
b91e4d92a61a815cc1078b28d7d01767cbc180f40c46cd3c958deaf8ccec9f3c

SHA512
65606840b873979e84ff4b12589a965a4bdcef877f80446bc7652b00c45c01833001d97272a2b0058394e05a678e3000e9317d0a03988cca65d921ac1e1b9a86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSE0DA.tmp

Filesize
377KB

MD5
ec2a3559ef793d976d3f72252ade0b68

SHA1
1673ad41b3683d9fde4e331ef97711af05c4c014

SHA256
995ca25e8ac883429e67e2985887c2dc122e4d3cca48d6ab5b545e6a896ae2e1

SHA512
a9f77b1735eb88e3ed790a0bb00637a616c33414cbb6f0b582322759a3bea3bf2fd7a334f92c17dd9f1669acdacc7551611ecedb80c11e999ddd120f104355b1

Download Submit
memory/2428-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download