d53a7858a392b314ef7e63d5d8d2f7fa8b6067dc0b9cc926adf219c0c4c0b768

Analysis

max time kernel
44s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
04-05-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZOD-master/42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133593185059178610"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1128	1156	chrome.exe	85
PID 1156 wrote to memory of 1128	1156	chrome.exe	85
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1540	1156	chrome.exe	87
PID 1156 wrote to memory of 1540	1156	chrome.exe	87
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ZOD-master\42.zip
1⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca6e7cc40,0x7ffca6e7cc4c,0x7ffca6e7cc58
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1968 /prefetch:3
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4284,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:856

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2952

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4468

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
421a4e155cbeb65e805e6fbcf949e5a1

SHA1
490ad079550fac09620b7e0b1c88a3f9b1c80a99

SHA256
d79ad3dd5ad18ef128f716333dfc21c68c8148aaf820f1bcb03b3b0c0b5ea4ac

SHA512
0f2bdf5dcfcfa0b5bde7ed196dfde6ea89be01fa87b875565e87d199df7d7ecb985880761452725aca77b2a73bcdf73bc296ea0cba766a633be5b6f724c708de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
86d962aa79b76fd8ed0ed0d5b5146acf

SHA1
ee5dbee80c7de1adbeec33afda8830e40ee1e029

SHA256
a8fd096e191f93a3993f9e40844802fc0433862bb77714928e4de259f0ac2dca

SHA512
92b448305a912b0488755966b26245924d345180e08369c7fba13f2f70c68516fa65167cb762beca5889c864773c4cae0933b1b11ded44373d9b53a810fff755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
99b426bc9474abdab12b48687046f459

SHA1
86f736476e820b90bac6227d212629c08142d9e3

SHA256
680b68d1f1d227354707e1195f1fe676d591a9ed0e4e0b71d7cea50b35f63c4e

SHA512
abd0e705ce4979fa94857c75837d3e221587e3923a013a50fcd2086430a248fff2001aa6e1da6936bbad9a71e1e65e0c86ddaaeac1414082da7b1184421842ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8ac85cf60ac6e3b7675374ca286e613b

SHA1
8b5b06a51455dfd53e3fba69472cf9f78b288926

SHA256
ebcbbe21d1df64728a0af0306cbbfd2bc2678eca64cc0f1cbfa2b2cd3226927d

SHA512
043e12f4c90c465c26b578f6c4e62ae6f7ba8ae016984ca26fe848d9a17df145d2ba4e72b0c73dbe55e456e89faf9f8cff49f227c961ae45ef9931c37123d12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
c7b6bd552cffbe7f3e15d10a93de6d53

SHA1
76d8c8177aa5e25274e14281ee36166994849a29

SHA256
be7a81d4be08f77ef5c2697bfe568d40cbdd419fa151d5ef20ff40165641499e

SHA512
d702f2ace97f1d90f8cf1e90e15a11b3e5f6edbb58d2a9886f012468f3c3a7c1a31d11c0379396952187fd9779113da3e02cf4cf9b0e11b006a3196051c97115

Download Submit