237020dcdbeed096b073638d5c204f1c47881ad75aa0e19c464429a952833b26

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/04/2024, 01:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vivitar/startup/data/es/nointernet.html
Size

1KB
MD5

c1bf353c64ca6d3dc3aa7b386be9842b
SHA1

89e00cb8c4f9211b3187c580c5aefd14bd8d3128
SHA256

6fb649ef8b6b84c8074b3b1294f08cc8303dcf60f66951dac2ca920338dc268b
SHA512

29cdd6881afd282e5fdb542ab72fb46fd99153131cd4fcf1ad883c6c6e08e3855ca20955976a09062e1bb21c50ef666415c625f4222403ecf74010fa80bc7774

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589127688635891"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3616	3052	chrome.exe	73
PID 3052 wrote to memory of 3616	3052	chrome.exe	73
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 4040	3052	chrome.exe	75
PID 3052 wrote to memory of 3640	3052	chrome.exe	76
PID 3052 wrote to memory of 3640	3052	chrome.exe	76
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77
PID 3052 wrote to memory of 348	3052	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\vivitar\startup\data\es\nointernet.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbf4699758,0x7ffbf4699768,0x7ffbf4699778
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:2
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:8
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 --field-trial-handle=1856,i,17116382834709538638,8639364125558476646,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4a3c8a6a8cc3547a4cf26386ec23ffe3

SHA1
4cd66fb8390286373c60e14e14db8d642b2f2000

SHA256
843464a065c3da9299dd2895f2728d4da47c5f45b064c1a6eb60f0a45525f27a

SHA512
1b31736834600232f87ed0c1a9dbb42483ae91aa1262e292b027af782a65baa295f40709dd07b618f71c5c678d08aeca343d2b107d05751a71382ea5b0ce102c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1f73fe53afce6500deed35cd6e010d63

SHA1
14e592e52a9c8e1d098ec1df6f64aa3657612fad

SHA256
a2e65bcab0d9b0bbde4c8f93dd5c4413e255cb54a1351251ee2c6de33d163ba4

SHA512
7e7fcd9eba1acd0036b40a613615e9c6162b280090eafb87a56ea92c8d594232d5789fcd25306bb88ed48d41fbf28287212edc8a914b78541341aec7e7c61219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9884f01b4112afe3bab774907d556419

SHA1
a7db1f8da4cb468c4966ba469aafaebcc3e71073

SHA256
6a9fb67eefae8e7be8167d821cca3c483f9367e79c503698b7e6c54686cadcc3

SHA512
0f07d052601134410f2ce935b68342885ada50a84dc706edc42e4d89a746c633350a0eae542fbed60adf9e1be0ec354bc05e3d6018fbc2c35e537e54ae983e9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
1fff8f1d91100d0c6612e05d89578fe1

SHA1
241951ae45a6034dcb6f0eaa02f0ede25e53fe23

SHA256
1ee2000dd0e8f15eb895c67d4e90bd3a3ffca2c5c7b7e67a6104bfab00f08726

SHA512
60e9ce6ea302a866584b98f8f5f91a48f1ad9271f8c3e37b233246840de9bda30479b87aceb60e5d86d76a77db9ddeba7a25854ad169f7370095e9dcdb3eafdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
ab39e75fe7b6196c5d015b82bf3a5f79

SHA1
62cab2e6cb5acfccf5285a984fe2a281cf722f53

SHA256
134b29fb9f0ae406b16e4fd3c402033d8e1807cab464293ba6a63701651e3580

SHA512
d9c170d29e353d6c2dde5bc102e38f12b3589e2e5978067cec6252b3eb881484553c73b5e0c7f96b629dc6f637c0d19ef4f5533f0f3ac6379107380922fb2cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
5871df77cfd54449c9e3389cd3363115

SHA1
151ba62580cff43474a3bc04b6b66264157c766e

SHA256
e4ab5ae930538ecd1c689005a73a8b98317d4abd690567c323117c77160ca34f

SHA512
254c9241266a0b5298bb0dcb29e9925c3db2eb02745eb021149bfbd4df599f21f8d35b4bc46ff283a47cf22f02167a2109c3b006194cfa66f567804c3a061b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
ed463976efc87c906eda928dac38a0ef

SHA1
793f9fe3e66847cb03465ccbb3943aab6abab431

SHA256
0395b796e626585cf02961c30e420235c96f3cac2636ef0f91121646cf14313c

SHA512
65451004220476f0cdf4e72a441a65193b18c8994c8278fe28a580e7a31099612b3a0c65c4f6481431d8bfd48d9e8b86e61df39c65bf9b8c5559983a5159712d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit