hxxps://1drv[.]ms/v/s!AtRaEcyIIwupgdteRGTuLZkcOGTEGQ

Analysis

max time kernel
29s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
25/03/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://1drv.ms/v/s!AtRaEcyIIwupgdteRGTuLZkcOGTEGQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558718136016806"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3064	chrome.exe
3064	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: 33	2400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2400	AUDIODG.EXE
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 744	3064	chrome.exe	87
PID 3064 wrote to memory of 744	3064	chrome.exe	87
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 1672	3064	chrome.exe	90
PID 3064 wrote to memory of 608	3064	chrome.exe	91
PID 3064 wrote to memory of 608	3064	chrome.exe	91
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92
PID 3064 wrote to memory of 4176	3064	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://1drv.ms/v/s!AtRaEcyIIwupgdteRGTuLZkcOGTEGQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa1ec9758,0x7fffa1ec9768,0x7fffa1ec9778
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:8
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4956 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1884,i,2077533750945807658,9400599685612885589,131072 /prefetch:8
  2⤵
  PID:724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0bde5e95fefaf129a3dc2dbfc931df37

SHA1
057ecc4cdd4005a3da1d147c59d232f6c4d4d8fa

SHA256
8f39af6d232d8cb8e6d782adee16a72cd71c957bbbb692c7156ca7c653397234

SHA512
a27d71a967bb5084a7b68802eaae938a4a6562d1950e0fe6d5779d85dc47d1f153c3a258094b08d6bdeea0c2a9cb5fccef92f7e63a34d54f14b047e221c37846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e237723ec61e9b3c6ce2717db1a73dcd

SHA1
7fcc9870caaea877bd7910fcac5a5441e94a6acb

SHA256
1500ac6a1db200b366fec46eead6e85b83afa27753d7ac7a8c789e82edda98ae

SHA512
1d105eab389327ad4e56787dce9f615c5d31766b9015c68a7ffabd305f4b6a913b9102ed2f044fbd65d9a5d15ecbb705501b825c2069ea4766d3f1376d246045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
57fa7609eb3eb50eeff4bee5efb9793d

SHA1
6c2670ad147cbecfb8becc8c00de8ea4b096d3e4

SHA256
b7fc07d8d1a46c12db71da30a66b999e91adbe8eb36b8996c9f4013f2dc68de4

SHA512
fafec791ecfa6be4f3cb6d9ffd5ae361977ef7b00fa0315d2a5cf1aa2cc43a93d542c3615f3816b123d3b9ca6203295a2aacad52a88770f8e3eb78f524f786d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a73d334d5c1a8e9ef7c62ecdef72b48e

SHA1
c9dd835c7957dc2ebab94362afcd5a63708a25d3

SHA256
a0a5d669d3a402f322c34a6ac3c067990fa7109710dcc53b6740e9301531bc9b

SHA512
6bf19b050fe60e68797e1c46f59d955f4225cec2d998cdcadd9a681990324411f6a18e4ca741a03b6bc2133d893f413429844cb5071e10040151713d3add184f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57947f.TMP

Filesize
48B

MD5
8aa906d4060045f50ce7609f3d99457f

SHA1
65941938b2b235690ac4c957333d80cc16b1627c

SHA256
87350386c8bbe623615fb958074fc262703951d5c73e2414bdcd11fc95d9a564

SHA512
38a4c8bd9334a89e778e945d9726ee43c2896daf4e160be3b2e2e17875b339fd5cfd784dc590ba0ddfec59d7971a828a45bf649ae2317416ea83157f13c76455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e8dd63bf-307e-435f-ba36-22e0d8e8766d.tmp

Filesize
253KB

MD5
81f687064a3026c10890e7a67d4a6b5d

SHA1
1e3b81683675019fe924e1a7fdbb69db32b6eda4

SHA256
f06ea627d3fb50ebd39885a6e6bcf692e6016f6aecab1b1b68473acfc8add795

SHA512
ebff4df99b8a65ddc140c2968501b13d50c3ba96283b20d1f310fc3c2ca1cbb1b59b68de512d96434bfdab81337c88df5df10ca96a23c6159d5893de52fb8899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit