3b248836cef97574faf978ee7b9660c5653da91d97db8a7cc2cf3147c5a5bb16

Resubmissions

02/05/2024, 13:45

240502-q2ebbaab4t 6

02/05/2024, 13:42

240502-qzr5dsaa9x 10

Analysis

max time kernel
105s
max time network
107s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/05/2024, 13:42

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

17fd5479f7dec3f65015008bcf5004ae
SHA1

98d6bcf0334e0f383f3e66948e347fda087d3373
SHA256

3b248836cef97574faf978ee7b9660c5653da91d97db8a7cc2cf3147c5a5bb16
SHA512

081e39bd770c3a1e602937b85c9a38744f0ab245e452651eea551e76752c907edbc9952ac1c1e8601a418b4c7a652b76ac26d9cd0c42bbd3d18668c1ee5123b0
SSDEEP

384:rWjuCGNSDpmReVoOs47i9ylKeGM1U8Hhhbdxo7/S2LjMrSA+1IJCgMmVn:rWjeSBVoOs47myI1MZBhbDGPMrSkJ2mV

Score

10^/10

evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5064-342-0x0000000000400000-0x000000000079B000-memory.dmp	upx
behavioral1/memory/5064-368-0x0000000000400000-0x000000000079B000-memory.dmp	upx
behavioral1/memory/5064-385-0x0000000000400000-0x000000000079B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591309517506848"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4100	reg.exe
4136	reg.exe
628	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4152	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 96	4448	chrome.exe	73
PID 4448 wrote to memory of 96	4448	chrome.exe	73
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 2476	4448	chrome.exe	75
PID 4448 wrote to memory of 224	4448	chrome.exe	76
PID 4448 wrote to memory of 224	4448	chrome.exe	76
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77
PID 4448 wrote to memory of 4508	4448	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa9de69758,0x7ffa9de69768,0x7ffa9de69778
  2⤵
  PID:96
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2624 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4844 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1848,i,5429695039592400300,16899756585285483554,131072 /prefetch:8
  2⤵
  PID:64

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\Temp1_SpongebobNoSleep.zip\SpongebobNoSleep.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_SpongebobNoSleep.zip\SpongebobNoSleep.exe"
1⤵
PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B8CC.tmp\SpongebobNoSleep.cmd""
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4392
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:628
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4100
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4136
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"SPONGEBOB FOUND YOU!!!"
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB FOUND YOU!!!"
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    PID:1544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
44f446359759544452ee188ba1a89aec

SHA1
bafec17133c0780b1fe5dd2e6d5806681cb44f44

SHA256
366c6ceae5b2a80d9a953157e9716a39dfd1acb2e8ed93bd869362960811d82e

SHA512
0e514e045f0828d38267194d8ec890340f3b14b57cc46a76a5453c991919409093f87680420e9f847a5d449c1a968c2f3eb972431accaabf19d5472a12913f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
47e32e01a67f961755f77100f71fd015

SHA1
7ac5b0684ed32d6490b3b6b61b9abebc6c298558

SHA256
c2ba6fa38a5923078e01dbac714fc754bf856cc49c9039d7e45da0a79d163435

SHA512
c35ff4fd2a42148c4199d20d19bc58b5ecac95f8b65739a861b2ba18094d60d7e81ddf11301a5ea19125dd72d5d6b1416e899172feb75037b98b81b0283be1c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8738f95d81d9f8218488e9bbb87a53fb

SHA1
5aed64cab9485758b0b2e0a01f55e6a231747908

SHA256
77c8c68437599e50c54a9717446994a4af2e78d382e7f719f26243951c5db93b

SHA512
995406a21b8da2441dbd948bddfc73f76aceb37b1fe5595313e6f642436aa8ba0318e9fe2fc2aadeefa63009fca86c1c093f0a98b9c136c5f5ed93d156290db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\dfd34ec7-bbb4-470a-93e7-9b0f705d5c2f.tmp

Filesize
371B

MD5
c219b6ef1e6b3d0b85d6ac5db0522d22

SHA1
ffa4961b152ae378221453c717e6ce1cf4bb7348

SHA256
40c5acb558938d6ef322bf183fceec8f1cf8bba5dca61e5af731f91bf0a686f9

SHA512
509f94fa5499f12d0f72802e2bc855bceb90ba005ed12b292c8313ed7e3d10d068fe80c0dff70883d37d3bd931226e6d8ea91f57c26b1b955b6879a214f7071f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
36ec059d19c4cd1e079e331b4687076b

SHA1
1845caecb33c89d7ba8ce4c78d0b5448835f97d5

SHA256
fac9a46ddbf0082c5a6739d27c9dd3358acc37d696615231497555fe603eca1f

SHA512
2b09da14bee19d2d4639c8b1ab11df9de8a4683e03e4e7633273f9c9a52730b24e38ea1608407445eddc3b8935a93e126021e6316e4b684ea230869d28e68e1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b0999681e7eb5c7121b0da6555e5330b

SHA1
f358e0d3c0ae3be4bbb7df751701c366076829ea

SHA256
c89a33457ec01046b0a558b584a1e6df77650934e2eead76cae522b48a416e08

SHA512
b3345ed1e6776fb7f588ec5a05b3a2188bb25b71f57260d52476a74b83cca8efab9a518145db0b627b63c8ddbb19dc454a75e0c6dad4e6f257ad32b5f7d9147c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ae0b3a130706500d8125c85dd3b118f3

SHA1
e4cb83f32c4d9e6e0e2ada0edfa2ba041402600d

SHA256
db64b7720b57602ee64b0f97d6eb7555f892f0c21b2edb874c78939d8b99c5fb

SHA512
a05c56e339611bfbd9730f18d504206b37536bec67a240400d8efd2ef42c2de888350e7085317fa8f9ff1aee7072238c6232f3576fc4df013a746e970db01b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bad7bd9951f7c953b37d5f083e29f955

SHA1
fc46ebe0d8a779d5ff30fb91b585e5a56dd514ad

SHA256
af1d50edef50edeff647a4dd33d5cfd1178855435fd486b8dfefc4511097dc9a

SHA512
f6eb7dbb0518885aa9b42c48395c9916648e1cd75d6b08fb1de11c11988df2f7f9e2cb27134a135ebb17b4ca195a25255c049ea729a670ec23301994de04e0f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0dde0b8a48ef81ea5104bd2165474c9b

SHA1
72a3818ab57e75cf8f60c9a598f62eb8a3a7536a

SHA256
986c0e2e4eb65ad3590cf0d4a1f2fa6427c6abd0bdebfc34918f79f61acf00ea

SHA512
399ee756a58f07277693fd5f8e6b8c53ccf2cb4852f58bf722c14767450036961aef72930b6360f39f71aa325ee77823a2ef52c1bf4879bcea9cf0c2213eb694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\0853fd57-e9c9-4cc1-8400-91511ee4f911\0

Filesize
16.3MB

MD5
ffce779d51bcd4ffc83d260a56b374d2

SHA1
54ee41440a6d72c8240ad1f015e79bfb2cbf5683

SHA256
0927b92fe4379e7c8f62c3d476cf9e3090415f1f0a0e9b4363204465f689b33a

SHA512
0d6c36388e1d7d66f72c0b8e69b8b2302860e5b62d45d93269c32493d5329a869cc89c13940bb70750ea31878f43b37e02431f7ca2759890a8800cc221840fd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
9dc515cda320d3160add020390e99b6e

SHA1
af8fb27fd092268896899f55a3414926fcac78ed

SHA256
2097eb74bd5eda2fcfabadf196a9471a5dba8dcb50d144acabe6fd7037a04ba6

SHA512
734500c68e1fd29589fdd7a9463b435b9b90b325197f44bfae31437b72a260a7bfbf676198e901ea147280d771bc146a9e1a2038b34638c4ff6c2d51e77f8993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
1afa9adcd239990d3a772545451c2941

SHA1
86d59db0571634e8d2b55173b71f60bb00510314

SHA256
672e20e4f76260b77e622f49002e229ca0c8d9227a076d2c12a42fd53f5284ac

SHA512
16d1f3d65d401f7d26ce53afe2d5fe9bc1bea2d8c1dab2fe48a01212d10dcd98d04080fae83e194dabc4201b3f68a29f8ef4deb7b78b24d45a938ab152a1554c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
2ed3d44072644c62a29fa46a5bd38ebb

SHA1
a3b6dfd91347e57b3c7c7fa6c5618d69f99984b0

SHA256
f647de21dffcb9a83c88351cefcce99ebbac6007abae5c037d2f79b53b7ad437

SHA512
78070936d637dcb2b6f6b046438cdca7fc45b6d8d43b08acdd2799e0ba9c11910e8ef8497fc684815a7ff47caec701af84bc455d996083d879ecb59db9f57acd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
c51ff22205157249f7a625ec1cd95ed8

SHA1
ef1b7db100bfb298a8d075d4c2d1056b8b708285

SHA256
c4e83e13fdd439cf02aa14bb82087a89597a09b423b56a285b76b5debc35ca2e

SHA512
eece70fa066d10b553857fb133506d5d34796251b05b8b2016027414f2c75471ab19da156711dd03cd19a09abc16a28d2716a6315636c598700ef33854cf5d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
62953e17bafb1e3c4918cd6d1ebfec79

SHA1
4891c87520d414410fb5eb269b9fb81fdab3bcc3

SHA256
02cca2ce6fa0e46cbc995614079fbe34d5dd6aa407055f7b0c180361b0748ca2

SHA512
25869f588a1ab8d9fe7303034174d0856228807a88f89b2da29f43532706acf51f01f4ef256c96331174960f14d06a54b3248288c08b226684dd0a062feb44f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580e72.TMP

Filesize
91KB

MD5
1f1db461965583043db769ca4be72853

SHA1
15386b3547c0082cecc0693e647504a8f895e350

SHA256
f8e820f78fbd2da13b4110082dbafb0c955614410394adc18e6f26a5603b94df

SHA512
1dd66ce93081ee2ca4692e0ea62334b79ff46652adf295173de37f339586f5a34e70e918be6dab6ee1117972f77ea348ce7d9f304e1451eb1a72d045293ee14d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8CC.tmp\Logon_overwriter.exe

Filesize
34KB

MD5
942e4fe24043059c647f584cc657c4ab

SHA1
41e98f66887a4d912a49af32bf164ab9daebf543

SHA256
ed996aabbbd002aa1d2a26954c64f47072f9388142b85cf273c190ce357597e2

SHA512
dab7a646761a2f547e5e8dee83678c1b30852ad266d03b3408475a65a5a0f3088a5b7e641d78baea697152cea735ece7b9537c7c86b7dc74773cdb336b0ee7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8CC.tmp\SpongebobNoSleep.cmd

Filesize
1KB

MD5
f0f8f16b1be67c7ce5d854701fae56ce

SHA1
9ef78e1bec7b3f7190231d7d1179629db0756a38

SHA256
71f31c42e96e8dd9c25b2d36959d2ee75948a10aaeae25dffc2dd03759e53f83

SHA512
ef514835e6b4ead1c649846082beed6182947e0cd90538dea6ad8290c177c657e6f9c2e4d9f473de300fb10fb1f74e691911d75239dbf926ad5cf46b7370fd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8CC.tmp\bg.bmp

Filesize
2.6MB

MD5
ce45a70d3cc2941a147c09264fc1cda5

SHA1
44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9

SHA256
eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac

SHA512
d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8CC.tmp\gdifuncs.exe

Filesize
120KB

MD5
3b9073afad85ea5e6a76de419645245e

SHA1
faad89b3d9df889547b9940505fce6c0aefbb727

SHA256
4e3da2fd00b3a6a758e4b3303fe5fa61d87bf12c6714934fbdf6312c9bd9851b

SHA512
e1a0622bac8bc9c88458a5cb559a2ccb8c70e4d24127ccee99595cea273609b0aa7815be6eca36ba8548a2b0491bbb00edb1e809eb7126469ce7e32a682ae72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8CC.tmp\mbr.exe

Filesize
47KB

MD5
23767616e3543edfb57b841df56a0a81

SHA1
1f2ed4a7d16ac128cb50e0333578cc61469a4f92

SHA256
8de5e3f36ac9f8f844db93e630bebb80a40c51eb84b3418054d41ba2e4ca55ea

SHA512
50081bd0091cf4c7698229475dd783f0694b27dbdb889872447d6b9af375ec54bbf8c8ab609f48d6ca6d2bd2898792793658b3c6562c6474f4b63b72b7cd4347

Download Submit
C:\Users\Admin\Downloads\SpongebobNoSleep.zip.crdownload

Filesize
21.3MB

MD5
560b86535f0e965a00810ba75f1c7725

SHA1
8f52994f512c508c0ac6197cb9d89ababc0a4624

SHA256
6eed2abf44686e0b41cd0e62e56fc3b01ba5db1b73488cd50c969c02a735be92

SHA512
3cda9b4415562ac6e9ddacc7e420318502dd3c3103f4ea10bb7c1880cec86ba11c678b1850e91f550c0f9b8674269846b80c30563965cd7d5412f3045b5a740f

Download Submit
memory/5064-342-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/5064-368-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/5064-385-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads