Resubmissions
23-04-2024 22:06
240423-1z3agacd59 623-04-2024 19:46
240423-yg1yksbc92 1023-04-2024 19:42
240423-yetrgsbc62 623-04-2024 19:38
240423-ycq8ksbc46 623-04-2024 17:41
240423-v9ez2aac97 723-04-2024 17:35
240423-v6awxaac93 1023-04-2024 17:34
240423-v5ll1sac88 6Analysis
-
max time kernel
1800s -
max time network
1687s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 19:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/ytisf/theZoo
Resource
win10v2004-20240412-en
General
-
Target
https://github.com/ytisf/theZoo
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 32 camo.githubusercontent.com 38 camo.githubusercontent.com 39 camo.githubusercontent.com 40 camo.githubusercontent.com 41 camo.githubusercontent.com 53 raw.githubusercontent.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583768917879078" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4736 chrome.exe 4736 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4736 chrome.exe 4736 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe Token: SeShutdownPrivilege 4736 chrome.exe Token: SeCreatePagefilePrivilege 4736 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe 4736 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 3624 4736 chrome.exe 84 PID 4736 wrote to memory of 3624 4736 chrome.exe 84 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 1740 4736 chrome.exe 85 PID 4736 wrote to memory of 444 4736 chrome.exe 86 PID 4736 wrote to memory of 444 4736 chrome.exe 86 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87 PID 4736 wrote to memory of 1832 4736 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ytisf/theZoo1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9510ab58,0x7ffa9510ab68,0x7ffa9510ab782⤵PID:3624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:22⤵PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:82⤵PID:444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:82⤵PID:1832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:12⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:12⤵PID:636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:82⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:82⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1920,i,14575623106067360959,12766563822703616639,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD522ff9ac015bf80adef655f9e72dcc136
SHA1fa21164ea58ef2d1a197fc4c723f9e387c0ff556
SHA25689b05d803158a1ddee40d4c3c959827961054177f675f176d36f5419d9f8eca0
SHA512f565dc698db5c65ccb7b774cdd249d0812f4aa5b36d718c05756b192b0cafb4dbd2e3d5705589c094e317ca1271a008a41eade00cc013b5701e824e63dc11d71
-
Filesize
2KB
MD516057cc001465f44d83fef02eada3af0
SHA136d40a269bea0e6f63b5e082be2ef66fd32f77e2
SHA25674d20dd9b99f4c3d089bac2a86f065e3fe1f1867ebba001b89a155d19518b818
SHA512a40c35000c58507385d08e71d6660d45872f978864fba698f1afed3b520a7dde1dbd3346a7b6b8fcfd8ea866f617449578f51a31b5a380e666cfe92e85209f79
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5c4ccb82601c48f9c7acd9fe6dfc95a8e
SHA12a6645a16845ed49be6a52be30423496c9268094
SHA2560ac6827335a3452747c1bea8e9f423cfd74ed25394bb868888f67896a72617dc
SHA512e08d8ce22a6537554c36d47c1c0a95151b15ab762b4356c3f054c217958bc30c2b89b33f90ddc8948d492bec82fac4c53abe5d708992158022560594d13e24a3
-
Filesize
7KB
MD55b2d453725028eb8ce3a15e03369154f
SHA1a343fa9ec5194b807debe6d244bdb7bbdbc31dd9
SHA256f0003e6dba7e0806b0931562e178ff5ed207aadf4b3fee1adf91e150029499d6
SHA512cae5bba8e255ad9b2bc46814af270d89ff16d5a592b8643af8247289aeb5a1fce5cf7f3844e4c6bb0dc773a62bff3b5ba37cbf94bb9112f636277bf3360c5e06
-
Filesize
250KB
MD5b1435174153dafb2e2406dd191e94157
SHA12cd963dbfa746baf67e605cb079c82117c6a26bf
SHA256795829dad3e70cbc9780b7ab71a3d8f2fca9f9518fd11179cf0d2c5b64bb972e
SHA51242f2ed7edb4c16bef70e8bf1d2e019760ad1cef6dd029ac3243ca3248ad4bd9dc0e17b952de28dae2f7072bbc0d05840e8b7054e5deb351a497e791801175916