Resubmissions
17/03/2024, 13:25
240317-qpfzdafc72 116/03/2024, 11:53
240316-n2tpwsae21 116/03/2024, 10:31
240316-mknlwabb86 116/03/2024, 10:28
240316-mh4kbabb46 816/03/2024, 09:43
240316-lpxvnsgd3t 116/03/2024, 09:42
240316-lpqflagd2y 715/03/2024, 19:28
240315-x6vx7aha7v 815/03/2024, 12:26
240315-pl6j7aac75 714/03/2024, 11:42
240314-nt9q5sba9s 614/03/2024, 11:40
240314-nsz6baba5t 1Analysis
-
max time kernel
47s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
14/03/2024, 11:42
General
-
Target
https://google.com
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Modifies data under HKEY_USERS 17 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of FindShellTrayWindow 31 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://google.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xe0,0xd8,0x104,0xdc,0x108,0x7ff842539758,0x7ff842539768,0x7ff8425397782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4576 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 --field-trial-handle=1832,i,6268555455479896760,5030192777007903745,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 51962⤵
- Process spawned suspicious child process
-
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 51963⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.0.665931957\914329634" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04a6581-94b8-4c46-8971-70d17f1410d9} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 1996 195459eee58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.1.2136654903\1536765979" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15a3f5e1-fab6-4088-8e4f-c6500c0b9fc5} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 2396 195458fa558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.2.535364296\164017370" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 2996 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58902c4a-d1e3-43f7-8938-565b516b4fe1} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 3144 19549b80e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.3.174883946\1470715209" -childID 2 -isForBrowser -prefsHandle 3352 -prefMapHandle 3348 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e1846c2-e2c2-4dc4-98fc-10bed77673f8} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 3604 19539162258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.4.2049964706\390516750" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4380 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cb4128d-1eab-4605-bc5f-4bab2bf948b1} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 4348 1954aecb258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.5.1570413441\1028374225" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5072 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e13af5d6-4566-4e79-bd98-9909991f732e} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 5068 1953912de58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.6.1227708304\1481265649" -childID 5 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5999f63d-9b43-4ace-ba49-2334ce1b70d4} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 5172 1954c019158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5280.7.503796981\118742545" -childID 6 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce309175-1609-4f4f-a701-82781c951c82} 5280 "\\.\pipe\gecko-crash-server-pipe.5280" 5360 1954c018858 tab3⤵
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3906855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD506d38d9bf028710762491328778f9db6
SHA183e1b6cbaad5ca5f6dc63453da324f8df28de193
SHA25691558d69c027808e375e11c80166dc6ba245fbcfce715c9588decc55b4a33dad
SHA512b197e5f92add72688396a07246ee9842a3b0de36508aa57f0254531cb109c77d0392e00ea28e006f9fbab1b8fee9b333998946de47ca7526b631e8c810780781
-
Filesize
144B
MD520ce26a1f38ca89ea86363670ee4e966
SHA158333fcd3957d6891c2303d1d6aca86a0426602e
SHA2560ecac126e374bbbeb79cd2e28f11fe6820243f4e65074cd5df1dbb70389a6569
SHA51296adf61265dfdaa6b2a92ed604a1cc7a488ada2e4f466cfd7ad0f0cafc3ce297a482ec0cc30a619a0ef6e2eba965fd4c5edb8f542a7616952d0d678601917908
-
Filesize
1KB
MD5b5e0be75d9336791f4a6f5fd01120bd6
SHA1261a906f658500694319efc9b1d3ec5f5cffce15
SHA256df2cf690b557452692acd056b1b435bbfbe24c6a6f8e135e3508a1daf07d89f9
SHA5121237f3122eca8027f63df6635e54e09ed52a8a07ec735e8e5d87c866611126ac1213a4107b9e1e9e226b8015ff451f226a6867482478320bfd5a3bc44b4e99f5
-
Filesize
6KB
MD5b41a54284f2708600227c0600e1d2b22
SHA1ac74d1287ff4f61d1ffcccb13e28186fe9cb52bc
SHA256cf23163d18b48642918778fb19fa4d9f14ff09a6a2068ac20daedcb52db5f25d
SHA512256603596bd3014c7c9b14837dfde49957525a21aa9eec3eea50e8de7eff1aee72144b10633bed78dcdf3d4d0de1bc303b86d70c9fceb712b18500e60c49c8fd
-
Filesize
6KB
MD57fe60390488862d72020b0a51b7550ab
SHA1e963228b22d70ad077413288aaa3a6db2d282e5b
SHA256d5ed4566d2e7ea9bfbf8018427a214f6377488d4b104ea0e65a94271d8ed8a4a
SHA5124028082e3f91ffa24e81adf2d8663900877253b7a7d11b872eab96db48393396b6d7d64bcd6ecebd777a7589a2e64c11958ba3c2c207a710d3138791701e1c8b
-
Filesize
128KB
MD572bccda100c71d8fea39528289984dd6
SHA16873d232f4d6fb7141985723b043cdbb4fccfc02
SHA2561e190c3ae273fec52801a467630c7b7274b93e50e4114b4d48432e2da4bb24a6
SHA512c528bb3ed9d35fdb02e8d94c2773b284cd0155d7a96b4e17ca694019ec32605dcc9ef2d1986b94542a723d176e8096fcb859153c1193b1c45f7d9726c2ea2cd0
-
Filesize
128KB
MD529992a694b5b6c33ab3d77ae54b2b111
SHA16fc81eeaa62118428445ce381b13259635ea82ac
SHA2568a96d027ff610e0dc0b3ca527ef103812f944c6ecafc7b84c3019e43f728df5c
SHA5120f50c8da781c8bf42a8563989e589d0bbf7966de9a277dac7d6a70d871b632094038207f030dd7379607420d035d659f4dafe773bd841a3c08977abd606d0bab
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2KB
MD5363291ce2f2ff804771c10e5e401b84f
SHA17882246806168769700fd920d010006aa3392f28
SHA2567022b18c243c648aabe17ed3b2e95caa13c107c1b706865304f9af33745f7c87
SHA5123c5bb79602cfe7348f9b7f012108ecd58e807ca3f0eec799c69764d4f6e0ac5937316da78c4171b8e38db618986661fb1ed2087d2bd8e23bbfbcaecf69d96c9a
-
Filesize
746B
MD5786d8ccb3a1950e8b083a0a243699487
SHA1fc910c61538360f2715089526d4c6c7ff1745c0b
SHA2567aa6e1a41b5023023ce2e5e540aff4b41bd0ca077a02f477019dee145beffcf1
SHA51278786be51b5c7a89a7214ea75d70308313c38a651c19d064a41f45f9a594224202e05708b12ea8a39fd52ccc11fe363b57514cdb315671d1f47db5057b925b62
-
Filesize
11KB
MD515459d2f20112debcc5ad8b9af87b999
SHA18cb179c9263b27506ae87f14d787d38584ac6c00
SHA2569403a71023642f9d8d52afccbfddafee437840f4c39cd95c9e8c57fc67988a04
SHA512209f91128cd0233e67aff9b30b6d44c08aeb6a950701a59551d1327d0c080271b5012000c71c6aff42b37471b9941a0f995d811f66f17bab08818ce73804169a
-
Filesize
6KB
MD50c9455d94f2ca30ab4573ba79e20339d
SHA182677a70c7db07269ecb8afdc86e9e9e074dd34d
SHA25685873751f4ae2a0ad92450eab04e3edc1c0503caf1295d8c254f63cf3766ad6d
SHA5122745a51c3f82d475ca8f1ab7eb47660a8355c73fe6625707fc2727a366925b286d16016d80fc8abbaf163e84edcad66c6391651f4df2c3aa5da2af4787a61531
-
Filesize
6KB
MD51c7a06988f92b85768df5f342a205445
SHA166dbe9498771eadb486082a5be93c9b4eb391f98
SHA256a80d524f834a267b528ae3f75bbea481d36e5b8ca333b10730649fe9189bd0aa
SHA512601df238d960edba1201199efd2f2295968642b2a3d5ebca60b02958093c1c5e72622a5d1f10e7f52d7e602edba2c5b07cbf00fb7fda455f74ba3ebf5be94b3b
-
Filesize
419B
MD5bfa25cc55cda709660065f78b6d791c7
SHA1a72fc4cdb8c0b541d68e8cdfa75c15eae99e646f
SHA25682194b1d5f2d36ed7a4cb2f114964c69d15f97bcdb4305cde69645e1b8b62fef
SHA5120dce1c1cadc72a717d5d300ae56aec1d1831efbf7fbd1a9b711d453b41e8210518677d05777691d6f5856f223d0c223b509ad223738ed45f37755876b02d6adc
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB