a91f0751daaea7fee73c87370e94c989c6e9d058545403ba75e7cf241701dae4

Resubmissions

15-04-2024 17:10

240415-vpz5gabf35 1

15-04-2024 17:09

240415-vn3tzabe93 1

Analysis

max time kernel
30s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trusted Root Certification Authorities/Digicert High Assurance EV Root CA.cer
Size

969B
MD5

d474de575c39b2d39c8583c5c065498a
SHA1

5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
SHA256

7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
SHA512

7b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133576747015999549"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3080 chrome.exe
3080 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3080 chrome.exe
3080 chrome.exe
3080 chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe
Token: SeShutdownPrivilege	3080	chrome.exe
Token: SeCreatePagefilePrivilege	3080	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3080 wrote to memory of 848	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 848	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 4896	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 3172	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 3172	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe
PID 3080 wrote to memory of 2204	3080	chrome.exe	chrome.exe

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCER "C:\Users\Admin\AppData\Local\Temp\Trusted Root Certification Authorities\Digicert High Assurance EV Root CA.cer"
1⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc6dfab58,0x7ffdc6dfab68,0x7ffdc6dfab78
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:2
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:1
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:1
2⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:1
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1944,i,15251415121688604057,10628890113452208949,131072 /prefetch:8
2⤵
PID:2756

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
352B

MD5
d69f644e61eb4a1789c97d7c914279e9

SHA1
a412e4dc4a8e2852e1229cdd6d18ef729b287440

SHA256
08fcd21e8606e33096aceee5e3329dd789e4e6854663009961711897ccce8b6f

SHA512
55eaeaedd8a7192b91b9aedb638ca8517077d62b2d39ed56130a3dd7389397f4a5e779e8114faa0bb2253936c8bd120a92f7f65c0e1effe7998ee056925781e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c28b53de1456d4a470f878686741d16a

SHA1
2cf9617f647decdc566d67ce6273f35d903cab27

SHA256
067bb25e10e69fd2f6c703cb99de165f9efa07764057ee3b8269d1dd7e755689

SHA512
8bcfb3dd5c4e17444ca56e8ad8fa4f39a268dc2e05f98c55ce3196610e7ef5b6e8ada207b28602331516fa58dbd5e689d68e154974a7030f76d064f2e8486ecf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d2a7b62ea5ec24df1b5959072e134b34

SHA1
7ff90825e2b84e49b9d43ac678b9f896327c65ea

SHA256
57c2db4662c061c61b510cc280be1b6919330bcb7a52f8f2ed3571038d583250

SHA512
d6f02f6316009e78e93ac2a7a714625c93519594da37bdb4c70e3d5d9cb4dc61c3a9ad1e7ecc6c5064b1e59e8d78d7cf44c1ab17cbb7d23196f60b9b87e622b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
251KB

MD5
dc77d69e8773e447427e2d8aa1c6ec7e

SHA1
0deb98ccecc4b859964ececb76b7d402ac8ed9af

SHA256
1a7866c0d53363e6ecd6c8eb871c962c9e37655e048f565e051e334adea3a207

SHA512
1120061bc0d10429a824e5923383a75cbbae147e4b0c7181270c1e20dd3c8035871ce7e2179c77892b16ab4471bce89894dbfafa1d4df44a999a4597c5d9adcd

Download Submit
\??\pipe\crashpad_3080_CEVIQCCUVXKJZOSY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit