hxxp://github[.]com/VSCodium/vscodium/releases/download/1[.]89[.]0[.]24127/VSCodiumUserSetup-x64-1[.]89[.]0[.]24127[.]exe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com/VSCodium/vscodium/releases/download/1.89.0.24127/VSCodiumUserSetup-x64-1.89.0.24127.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595736611560844"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe
4032	chrome.exe
4032	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe
Token: SeShutdownPrivilege	1132	chrome.exe
Token: SeCreatePagefilePrivilege	1132	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe
1132	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 4820	1132	chrome.exe	83
PID 1132 wrote to memory of 4820	1132	chrome.exe	83
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2444	1132	chrome.exe	84
PID 1132 wrote to memory of 2212	1132	chrome.exe	85
PID 1132 wrote to memory of 2212	1132	chrome.exe	85
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86
PID 1132 wrote to memory of 2828	1132	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://github.com/VSCodium/vscodium/releases/download/1.89.0.24127/VSCodiumUserSetup-x64-1.89.0.24127.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4283ab58,0x7ffb4283ab68,0x7ffb4283ab78
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4624 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4796 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:8
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1888,i,338179264037634378,9506476526340214520,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2f8d2603bfc48b2ee90c34a38f06521c

SHA1
449b4d7bda049c128e0d4983253b2427ab613e71

SHA256
5da6fcf67ad42b48e9698fcfddcdfda5909a33a11aac7e72f80c3f2682ab8653

SHA512
2f1fdecb4a61749bf962e23f74574fe6283e682ae531d75a45606758278436c5ccdb151a57afc6282ea17b229f9c86c90c47a75768a1e7de3c697095e2933a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9124d1669ee64abec116bf32a3701505

SHA1
1650d7c2f841e35d559c42322a348e2192d70667

SHA256
d8a21ef695933229688eace87c75634959062f2b2c8c8c6200f329fbd7ffc71e

SHA512
ad5afa7ae414b30d9592c731f0adb7ad85e5085b33278bd8d64ee46cb477c88e85e652be9a06a77eb7bdd83e968d118389cec825563c9ab3252a3ec314b4dc19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
6c3f373b1d273e2a7a7aad4bcec3d2ae

SHA1
2d54a895e464bf4ab0f9219e706d2076ce42b49e

SHA256
3690bdfe4b77b3e848cb1ad6bf6a7ce8210ea6bd3cadb09dd6692d6129f6deb9

SHA512
d956cffa7ef3c018fc622414fd35381bfa809ab678d84902f6ec13102391fd80010e3d403d9397db743168795c6fdbff132ab077b2d278ef77e72cd88adddf05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e2205244bb673e72ba6bf4d42e820391

SHA1
88c4ecbc66afc6f610052a6b930cab2f8f3e7730

SHA256
58c1cdbd6e5b29c17ce76ae68983b9942d39f030c93146abe20303830d598930

SHA512
af20a477b26c46c9b1e9a1e2fb2220b83d3efd8b04c01da89bc16c978bb99a2a72d2493b08c501dd9e9efa31df17b8cb5b603a05f9caaef4df9d2c206615891c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
0077bae83e45726a5f7d3b63b6fb8959

SHA1
9b10da9564fc31cddf8510c9d1ab5a3d30bf26a5

SHA256
460f2e474c4f41661aaf10d084474e8ccb8c0bd332b1df0b7e57c8679b7b4184

SHA512
69325dcab2139c662e887ffdd80e3c6e24e638a99e223ed957accaa015b2d84979b0808204ed3c8322c42734de887108f890d8489c48282fa38e7d6794e7eb88

Download Submit