hxxp://scan-echo[.]online/vape-v4/PAP46E1UkZ[.]exe

Resubmissions

29/04/2024, 03:33

240429-d4kjwshb7z 1

29/04/2024, 03:31

240429-d3ks9shb5w 4

Analysis

max time kernel
60s
max time network
61s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29/04/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://scan-echo.online/vape-v4/PAP46E1UkZ.exe

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588351597979612"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 3904	4060	chrome.exe	80
PID 4060 wrote to memory of 3904	4060	chrome.exe	80
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 3416	4060	chrome.exe	81
PID 4060 wrote to memory of 2328	4060	chrome.exe	82
PID 4060 wrote to memory of 2328	4060	chrome.exe	82
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83
PID 4060 wrote to memory of 2976	4060	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://scan-echo.online/vape-v4/PAP46E1UkZ.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b73ecc40,0x7ff8b73ecc4c,0x7ff8b73ecc58
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1760,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2960,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2984 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2980,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4496,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3224,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4656,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3084,i,5186780051070230437,5924441168954560113,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:1412

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0a977e4d5311a0d0dae53068bc5e59db

SHA1
60c6cfd9c9087afef4830595b5ce19710b05bae8

SHA256
2c22ceb92418878dc3b4a4b0b0d3bd25dafeeadb9f8f4f98c4524c2d6205d3bc

SHA512
90a050cdc7b54549accdbd2bf0a6e8e1f44294c815a3bcf8b1a2c9451ed19d7ac9a51aeb14a570873577b6e4ffbf528ef1f421f39758b89aad9e6de89369a308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3aa8a9d7155dec708b684abc2fdcdb8d

SHA1
e5a6830e195dbe9aa095c339f64ec823ba63eed2

SHA256
1f59471ee0845f456163eb6a41a1dbb0c4ae10513cea1f44d6922e42b126173f

SHA512
df1f6d3f757ca2eb1ab7450a6688e6c46ed85389db1dd9cfe65b305825cb4b097f32cbe644687eacf80e5a02daa8893233a070ca2dd31a42fe9c31a59605d550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b37a786b19e7aff0ca8d07613411c3d

SHA1
c03cf4d56f18c08563fa8a56a7fa061b0a28a39e

SHA256
209fbb24d9f76329f8f83fa914a10a2c7923903827ebd1cda49fff07c1a229d2

SHA512
0ad3d032d0e255703e21e5aae9aa056bdcbc8c8303b66672f2cc915762e2a5e511319f7fda9cef54fa5ab14266b015b3a6637916e2587dd242dd2c7a9bb9722c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df7c03e1cb5793f1ee695fde9eb12213

SHA1
2c7ec092f9be71ec25e2335ed99016cb25cff8d1

SHA256
0588b89ef1604cfd285e425d95fc717046921ea54e0b73c53d337775f8e803c1

SHA512
897ef1e4321d54508f58fe14a24f00c29c02a0c65365100d16572aeefd22df92abdeb0db222618098f678f1e35828dd5427c41e147ec17889d699182578c6e5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e02936804d7bd03c2d550bbfabca5293

SHA1
c0db064f4a3af7c8042643780499f3db45dd7b68

SHA256
c8be81ac6f672d62235daf9344a22e39ec72192f6fa7cab4a4a49ef4d37eb415

SHA512
35c267c79b198f5da49d0e314196bf9817afa8bce89bc6690d54a06d830911ed951661d371e0fbfa436f370deed48147c82074c1bfdd4f396587f0511fd66cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
233538f584d9c5104251cddeb3a39e87

SHA1
0a53bfd549b623b60dcddcddb5509da5d267880b

SHA256
633bcb3cf4183c59cab28ed8c552665d2af831d643d98749a091f44a4efd6e1a

SHA512
413d5721adf2db5370c3b7b2a1bee41b14413206f6021697b3426a6537063a0ad92e7da861c9f166950148faada906fd297d24c9a9d7d85d9551afccc8f0dea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
defc70298a9b6da7fa22bbb30dd18521

SHA1
64c8ec35e9d97760b065ab3bb782cb9ff8244369

SHA256
3f29834a540db2cf6a6e52460a84e7202bb2f2f28201db8e61866b0de00e4358

SHA512
b584aeeeac3b36ebeeb601509beb81373042ab1118beffc3ef7f4a5b501eede5e3744135e856b9419556880b4e0b9b931edb1143327bca9bcaa000950aa3bb30

Download Submit