Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 20:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pub-fd00a6f7324e456ebb9f29e6533d4658.r2.dev/0nedrivedoc.html
Resource
win10v2004-20240426-en
General
-
Target
https://pub-fd00a6f7324e456ebb9f29e6533d4658.r2.dev/0nedrivedoc.html
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592424285806153" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3568 chrome.exe 3568 chrome.exe 4844 chrome.exe 4844 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3568 chrome.exe 3568 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe Token: SeShutdownPrivilege 3568 chrome.exe Token: SeCreatePagefilePrivilege 3568 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe 3568 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3568 wrote to memory of 4628 3568 chrome.exe 84 PID 3568 wrote to memory of 4628 3568 chrome.exe 84 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 2304 3568 chrome.exe 88 PID 3568 wrote to memory of 3660 3568 chrome.exe 89 PID 3568 wrote to memory of 3660 3568 chrome.exe 89 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90 PID 3568 wrote to memory of 4308 3568 chrome.exe 90
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub-fd00a6f7324e456ebb9f29e6533d4658.r2.dev/0nedrivedoc.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe6c3ab58,0x7ffbe6c3ab68,0x7ffbe6c3ab782⤵PID:4628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:22⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:82⤵PID:3660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:82⤵PID:4308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:12⤵PID:4268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:12⤵PID:4640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:82⤵PID:1868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:82⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:82⤵PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4408 --field-trial-handle=1948,i,6710782178430018689,14445790769293597783,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5b431306d046aba76e033c80094b52782
SHA1f647bc82ba526b4e135dc857e3307bf956a96e59
SHA2569f8c28999eb42931ef6ad63dca758172b8489a2826d406dc4614926ee34b7561
SHA512e7088a9b8d0e6fd0365f5a726191c9e03ddc2958146474e5adb6a5c09074d6867ba07cfdabbc6374565d1f746d1a2f19c310f7c53f9983e741b8a11df59d1b1c
-
Filesize
2KB
MD5f9e88e549e8ecf1877ab5af24681f99b
SHA12b223c9ecedc22f5f80fbaac405d99f5c0877659
SHA25615b545a837087afb8b799b1c7163d5d0ca395cfbdd8de56310ca0ec4070965e2
SHA512059ae0fece923677066649b5fad290f4ccd8a5f4526dde773e0f0dd3953072d0a7d308306d3c3ec285d3be0d690450f03e9b5f4c0acab9ec73580de76b4465fa
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5f9db1a6fcc7a64a14c725387747255d4
SHA1d1964485619d734ff77c4cfbd1951b49da92b04a
SHA25614858df5fba01216f21ea718238f666b6e3f2004d964939f50c066dccbab24fa
SHA512855c9daa8eb18d1928a9f5b02446cc3b90fe6bf41b4f7edc83173e6dc6869b626bd0b2299e5138391aa0145a833172f4b52c85c1e4e93e03651d4f338889a5d3
-
Filesize
7KB
MD503eb429aad269452b932b549978d226b
SHA18c47efc393adc149c0e782744b0c45b23b7b6121
SHA256937133e2f7ef2530138f4f79d20c821d48c7186c09281884a01c3b5dc9cc573a
SHA5123ef445c7afdb12bdf546d1bd1a1c83591bad87cff3afa84cdb4d2e4eebb0b0cc430f0f9082644b2a5aed02b8da00b658fb5d87fe90dfd76cc9a4065cbdd7e4af
-
Filesize
7KB
MD501f619aa95cf4185ccf540af33f35830
SHA17f9b46ed60502910b0f17da63ee4842402ffd2a0
SHA25679ef7ba4db30986b2ad85aa0cd933df6b82acf3a40455cf5a1bcca885b500aad
SHA512a6d8fd03ac1c34b07858c7026120adc4c61897addbb4077aa9e019f3a4293a0a5b27604b0d7f43bf17996fea6db76178ed6c2782d2ddb9bb73df6d6b52550a99
-
Filesize
130KB
MD5e226fd63210db2b903c1cbe666283ade
SHA12056589d4895dbcad29acf50e79f080479ee67af
SHA256655a5273b2eeca8da8e5de4f982d82314186dc0aa863c15ec525a05cd96ae578
SHA51242f3258c72c69d026b5c90daf6f4a54d14d229dd95a730dee136e56f4651d076a9aa20bec3af8d065b250ef54107298781daf69deb3539bf5daa9974d761e4f4
-
Filesize
89KB
MD542227f7d4f17d960d1837f95dab9715f
SHA19dbafab6a52b31bfb70fb51790702bbb711a1f2a
SHA25680194ab5e88e46e5f3ebcd357519f60683793f88d813ffc79ff83b362580f005
SHA5122c3958749f64a8a2ee6f19799276bfb00f8f1618dbc87a914efccc4bfc3f0dc7a8f7f01c2e7f8a39104abc8a5db4e2dad67c36bd2a549bd01db39375343f5ffa
-
Filesize
88KB
MD5279e3e49fdf5bf9a592fd660e04e92b8
SHA150267a5c5b3d6e8f27b49875c9129af0e3263181
SHA256400e539647f152893c4e7b0e1ec6950b8c153a09f2f6a2b2e258356938fbc2d8
SHA512552f86aa57eacc472b1b850ca08a263ee41234c6704573306caca949a1fe3994d239ad988d37ef5ecf95fb8485ef582cc21f412a4898bec65086c7ccf05df9ac
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84