7419d8b873f0cfc592effec892577be9877b3d83f031aa352c90e098f5f27da8

Analysis

max time kernel
45s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qIYFtzy.exe
Size

907KB
MD5

53d4e5a0d6a88b2122a4bf7a250e7eac
SHA1

a63b703c1fda969f4d106a92fa97c50bdff35df0
SHA256

7419d8b873f0cfc592effec892577be9877b3d83f031aa352c90e098f5f27da8
SHA512

0f40c22a10e27b50f75f9eadc362979286e0ffc16e2ac6d96bfc6fe87a90eaaf20d0a1520351e5678aa947635a4f6eba9605d48f1b15d9e4069fa8c6ebd401ef
SSDEEP

12288:0TL+YS9yexcDJOlrsA3ph0lhSMXlirR2aZGDVK2bK0:0iyeQOlrsA5h0lhSMXlYR2aZGDVrK0

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	qIYFtzy.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2516	chrome.exe
2516	chrome.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1692	qIYFtzy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1692	qIYFtzy.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2416	1692	qIYFtzy.exe	29
PID 1692 wrote to memory of 2416	1692	qIYFtzy.exe	29
PID 1692 wrote to memory of 2416	1692	qIYFtzy.exe	29
PID 1692 wrote to memory of 1936	1692	qIYFtzy.exe	30
PID 1692 wrote to memory of 1936	1692	qIYFtzy.exe	30
PID 1692 wrote to memory of 1936	1692	qIYFtzy.exe	30
PID 2516 wrote to memory of 2532	2516	chrome.exe	32
PID 2516 wrote to memory of 2532	2516	chrome.exe	32
PID 2516 wrote to memory of 2532	2516	chrome.exe	32
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2604	2516	chrome.exe	34
PID 2516 wrote to memory of 2344	2516	chrome.exe	35
PID 2516 wrote to memory of 2344	2516	chrome.exe	35
PID 2516 wrote to memory of 2344	2516	chrome.exe	35
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36
PID 2516 wrote to memory of 2452	2516	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\qIYFtzy.exe
"C:\Users\Admin\AppData\Local\Temp\qIYFtzy.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color B
  2⤵
  PID:2416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1692 -s 116
  2⤵
  PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7879758,0x7fef7879768,0x7fef7879778
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:2
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1128 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:2
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3024 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:8
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 --field-trial-handle=1336,i,16441223743552192319,660557209160396539,131072 /prefetch:8
  2⤵
  PID:892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
984B

MD5
c7c5bc8c786df9492f0c8694582625af

SHA1
26f35e9c6e83ae611cc1ca64b9e7eb7e9683a18b

SHA256
2dc057cb53954f44e5fe50d2f4d38432bfd9ce8da901f977d676931841de2a97

SHA512
bd9d4fa8c9d0f5aa84d75ba7ebac9ca3eaa532d766e9d48d90b3a999f3726420efe877915d0824572e0b7307ad8165609292f23809d48383c78b24b182551431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
035ae896db4a1142abc5cccdfaba2ca6

SHA1
55a9109a0136454e90ef326591ac1ab9799014b1

SHA256
80f0b68c3963939da01e3bb01e6d6ec1688df79ce190b18c9797893b296845c8

SHA512
38b5bf2286b55dfc6ea738da612f13618140a85db6ae4a1db7d1e8542ec82c4a55a6fe82513573ae10aea5bee7f63af24676a170fdba8f204740eb6245f674e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e3e8ea1e0555b3578c39b04ccc23f4e4

SHA1
a3e3edd2d95bf9dedf97f867ebd2da2ee7431d98

SHA256
c061f47e0b77461542fa105ec68ac788291534a9ed68443902ec3a5bcce20307

SHA512
9b008642bb8e3d3b5fe2208e98d85f845e42d251acef8e86d1fbf1222d7d05fb400d0daab9859357b10fa94a0ebfbeb4c475f6dc943b8448a0458dc1e2b23f40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
memory/1692-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download