9110c6498cd6c64f7035ea0f915d1fa51fce1775c5282587c2e21d5dab1c9bd6

Analysis

max time kernel
1200s
max time network
1179s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2024, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Free Software Downloads and Reviews for Windows, Android, Mac, and iOS – CNET Downloadrr.html
Size

827KB
MD5

e7a7046d8aed5ee76856b037c7a6459e
SHA1

de207e6ef6cc6bcfe2b498dee3cea5364826a829
SHA256

9110c6498cd6c64f7035ea0f915d1fa51fce1775c5282587c2e21d5dab1c9bd6
SHA512

16f9f606fb64420d5fa8a3e48798a084b495a07663fa0bce5d1580ace5378afabf1211813abbf901ef70c6bc41fd6e95bdecd2da3cd81ef8984d5d2b116da672
SSDEEP

12288:hhLhDIPdQiaLW9vqXkS3cY9r7QeQIOEvB8SRHrLTX8HLEfxtM1V+DNFZleSBvFFj:hhSPdQiaLW9vqjWq/omTiRw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558696471983655"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
3408	chrome.exe
3408	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4740	4440	chrome.exe	78
PID 4440 wrote to memory of 4740	4440	chrome.exe	78
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 992	4440	chrome.exe	80
PID 4440 wrote to memory of 4996	4440	chrome.exe	81
PID 4440 wrote to memory of 4996	4440	chrome.exe	81
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82
PID 4440 wrote to memory of 3696	4440	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\Free Software Downloads and Reviews for Windows, Android, Mac, and iOS – CNET Downloadrr.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc35299758,0x7ffc35299768,0x7ffc35299778
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:2
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4516 --field-trial-handle=1784,i,11278879824959952976,16499778246278948584,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a875e3c5536055159f2878650bb591f0

SHA1
a021bbcb4e313b49d24d77b1443cd37635cde229

SHA256
8e92381e58682fc6c63dd3bf8576a1b9d519157d3c24c7109f74d29d5bb45584

SHA512
3e7160cd326d1fa32101bcdd5b188d0f6debda4f9389c341bfd0d6ed67171db2173a6ab2355ae815b1a4f211481912d11bfb449b341c653b020f871151a750cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
7f137a90c1ad4509eb9b551ecfb2edb1

SHA1
4daf4bb8c360dc59372f1c6fc54fa8e8e54f6014

SHA256
bae59c91bc4b4d7f2d6caaeeddcc69e8071d577eff9aa65a3febd6114990f39f

SHA512
917b8292754935259a2b9475e66c958ec4b8e1484a1e75a738abe419a25b8c94c368941e060df7a23762a1ab3ddab091cab4210aa60222ad8b5bc8278aa63910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b1404ffcf19181874d27c58658bac1a4

SHA1
39a08613b410a676fa92d1393db08631ab88d312

SHA256
e3a072927adcd6c5bf3b77cb883edb6b1b7d9ad5969ba17db0bd1bb2af77a7b6

SHA512
ec75d2ba38c1bb5dec67abec79a1e297a7fc67e9b0d3bf0e71187b6bc20a27000906d0752bccf224f1eb2db6afbf71c7a60908599f8345cdfdef741d496a5ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ffa15486bb7dde3a78986a2feaa7843d

SHA1
ac8339ca8baeb7870b433b288d3536bedf2c3fb2

SHA256
f0e383e1b4dd6a5570321100b7dc3e4e2af8b136a5c32b6a00e13b87b8dd7eea

SHA512
411e788bd23024d0d266893ab22c2b05a6b1caa831723b96edb3a4fa73daf42d67de999f0e2032334ddefa276a16a3c314de8843feb884db8acec7e0b4c71294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
022ba7a4db0252d7388b60e24f8edc6a

SHA1
1a3d0d8c20dbd62ecad3bdebbd6c69b78e3a0bc7

SHA256
dbc07a2dff98e46eba588fb88ab8cf6ba00ad09ea44bc780938fcd84dd81bc71

SHA512
048f5cc2e4ec11740c2b748ac7e25d65ac07b68c1d353faf3391f08423855f58fa51867b2c4b73867f5fbdbe0f484949dd3f0f8bcd2d80c201658e4da573a3a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit