hxxps://cdn[.]discordapp[.]com/attachments/1234071769153798195/1234072046393233488/SkylineVanta[.]rar?ex=662f66a7&is=662e1527&hm=6cb0c25fbfd2c5b2701ea83e7706e11f5d2cb97a1057b2a6ed646864181cae35&

Analysis

max time kernel
17s
max time network
14s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1234071769153798195/1234072046393233488/SkylineVanta.rar?ex=662f66a7&is=662e1527&hm=6cb0c25fbfd2c5b2701ea83e7706e11f5d2cb97a1057b2a6ed646864181cae35&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587748727084625"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SkylineVanta.rar:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2424	Winword.exe
2424	Winword.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3876	chrome.exe
3876	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2268	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3876	chrome.exe
3876	chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe
Token: SeShutdownPrivilege	3876	chrome.exe
Token: SeCreatePagefilePrivilege	3876	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe
3876	chrome.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2268	OpenWith.exe
2424	Winword.exe
2424	Winword.exe
2424	Winword.exe
2424	Winword.exe
2424	Winword.exe
2424	Winword.exe
2424	Winword.exe
2424	Winword.exe
2424	Winword.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4440	3876	chrome.exe	80
PID 3876 wrote to memory of 4440	3876	chrome.exe	80
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 4232	3876	chrome.exe	81
PID 3876 wrote to memory of 3932	3876	chrome.exe	82
PID 3876 wrote to memory of 3932	3876	chrome.exe	82
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83
PID 3876 wrote to memory of 4880	3876	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1234071769153798195/1234072046393233488/SkylineVanta.rar?ex=662f66a7&is=662e1527&hm=6cb0c25fbfd2c5b2701ea83e7706e11f5d2cb97a1057b2a6ed646864181cae35&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d496ab58,0x7ff8d496ab68,0x7ff8d496ab78
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:2
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,6789731396239587774,18132715146389618990,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2268
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\SkylineVanta.rar"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
032251eeddeeaf29f0e9dab05286e41a

SHA1
499ccb78131b49fb798c165625b6dced61cacaa1

SHA256
0f14c8ec64de29b856672a5749f8b4a1e1dddc1df43ad7b982d0123533c12d34

SHA512
14d97f39a67b8ca9015c2dde989d833a2af8afb524a6181698cf6481c8148a8f5a24348e89162b18a246b800bc8475f458de811f0377373de41398974596d782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
cb318aa0bff8d0351614d5552dc094fb

SHA1
04b24d4da8c07af266444903fdd57c9b39f1b94f

SHA256
b1d1405ddebe632b2148440b8e40077ad091f18cfb4825b9dc2089cada644178

SHA512
0caad1cc121b9a9df80e6a3937442828fd3aedfd0283c7219be648aa93176bb5e2be73d4ed7846aa1e7ab177ab880e5818c5b0f1874e15fd56f8110d49e799f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
261B

MD5
995ad5a39b6c86a4b1c3b2de0ad869d2

SHA1
62064bdf6b6dc9ea6fdf4583617fe497f272bbc8

SHA256
e2e38442b8e2159115212b283545f0b5e0aaeb044c0b590dbefe8f92b949fab9

SHA512
b4848237ffb8a480114afa2e6be666c9b64b9c25f153a9785f390071fa717096f7b14be6e70e8e5db565cf0a96a338959a0ddcf6a6830c473f816b200f6e23c8

Download Submit
C:\Users\Admin\Downloads\SkylineVanta.rar.crdownload

Filesize
5.7MB

MD5
1fabc6704018d063cb86f421d688ef28

SHA1
cd8e985804f383d19135f356b70815ed93612897

SHA256
f3a96074ce391da82eb1e2c770b186a5d8c7c729034e415f132e6cf02d0b57c9

SHA512
17aeb1e6e249a7d68e149eb434bab0d719a10aff649a2d5315a6302218612b0e2525de5bcc0f968a26cf134c231251e95b6e4750a825fa592eed11648e273f14

Download Submit
C:\Users\Admin\Downloads\SkylineVanta.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2424-40-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/2424-43-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/2424-44-0x00007FF8A0F90000-0x00007FF8A0FA0000-memory.dmp

Filesize
64KB

Download
memory/2424-45-0x00007FF8A0F90000-0x00007FF8A0FA0000-memory.dmp

Filesize
64KB

Download
memory/2424-42-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/2424-41-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/2424-39-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download