5e9abe7c0a9ee33a8597c5a923af28f91e90e706741c3e3191d9c261ebac78f7

max time kernel
147s
max time network
140s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/05/2024, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MICROWAVE.webp
Size

59KB
MD5

8c9beb192d4d9b3b8f605ce2f730a1d7
SHA1

810a8fd46963e2cde9bc714177b893a633016e82
SHA256

5e9abe7c0a9ee33a8597c5a923af28f91e90e706741c3e3191d9c261ebac78f7
SHA512

25bcd758eba766fb2dbe89630ccf4a80c3913715452f46990e31d7edced41359e99a142ded140ab8106a5e1b89b8a2fca8815b64caa1aafeed86648c0fcc2f11
SSDEEP

1536:ynOnmqlCB6c9CIdgYABxXIV3wYA3kKSG+VOe2asU8aaowh:OOKBf8agjlozYe2ya9h

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133596845825796535"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
304	chrome.exe
304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 4764	524	cmd.exe	74
PID 524 wrote to memory of 4764	524	cmd.exe	74
PID 4764 wrote to memory of 1980	4764	chrome.exe	76
PID 4764 wrote to memory of 1980	4764	chrome.exe	76
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3004	4764	chrome.exe	78
PID 4764 wrote to memory of 3380	4764	chrome.exe	79
PID 4764 wrote to memory of 3380	4764	chrome.exe	79
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80
PID 4764 wrote to memory of 4164	4764	chrome.exe	80

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MICROWAVE.webp
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\MICROWAVE.webp
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe88119758,0x7ffe88119768,0x7ffe88119778
    3⤵
    PID:1980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:2
    3⤵
    PID:3004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:8
    3⤵
    PID:3380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:8
    3⤵
    PID:4164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:1
    3⤵
    PID:516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:1
    3⤵
    PID:1472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:8
    3⤵
    PID:3528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:8
    3⤵
    PID:3492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:8
    3⤵
    PID:3372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3320 --field-trial-handle=1704,i,14567850134183194027,3933844907473377011,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
602B

MD5
852e1f9dbf40acc22030fdb79a59e444

SHA1
76b6a64bdcfd893295c0364709211dae0fe5e5de

SHA256
415f8067ca2dfb44ec69a1a245f995c30b39a32898c349bba71a377b644c02be

SHA512
dfb2c4f982d57589f1c141f5a4f124533a3024816fa47b2b0fa2b8b6f9920f40551c8de791aeb8ef6825f831e3968d1f8a7c161ab7c335fa39a70172703025b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1d274feaeb8f0ad3ec8cf5af046a3197

SHA1
e39469a45355f2d14152fdac941973417a6570b1

SHA256
61412b6a0477f54778c5401648ab7d11c171172b3e4d2538b64e1ca4a4a6f181

SHA512
799b76a92b7832ff7bfb1ff48f432a1d368e879ac15cc6025aad2d943de1f93fd93c29ceba8ce74896be761cd5941d788166f33a740a7496b9b909761ee11460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a85283dee475ba18a80d69cd5001e9dd

SHA1
3eef3488189143b5b3636ac2d4447327666d9183

SHA256
589d37e5a1839f93dd20dfaff6d86e0c137fe8497cccaad48ad715236c1a4ebf

SHA512
75be81a05bdff8d29c9d466662af3f95c0440e49330c6c4cb13b2e5ee17f08e79577b30b08234959f07e7d2ee5d2170ceedd29826c8342d1819279a5425c0836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
170b0b95a37b22cccb34d2680c3e5464

SHA1
337ab5e5c04695f1565a1a385a90e4a18ecfaac4

SHA256
da42449e904b4be1b0d106b7a2d4ae78f85cefdd8fddb3d801acd81ee8ef1c10

SHA512
2b38b52c7826434a3974981550adc1c001ca6f1359afc29df5f70b44b5ac5761fcf21daac660f634a25d98c27f81130ee9a1d6825654b2251f1e11d63e859042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
c5038676403c925af84c3e76033304a1

SHA1
8071b083879d2f6ceca1913b592f61b9e035225b

SHA256
3a6b22da7fb8ab7a73a6570b8a808b3bfa7542a17579bfbcca36acec22692228

SHA512
f4dbc627b0c9ffafb8e552930054f62e623f645c7a09a58563afaaef6ebc4a1c92167ec4999019037fb3b849a3823cf639a6200d43aea9fbb54f614e61680905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
21d24e8c60e2fb5a8ca829f9e5b81fd3

SHA1
aed74641b923ecdb78988c5545c0e6d9606bbc91

SHA256
5536ae0ec1727841b2758647c6148e866f9ad34f201440f961b27118b29ec8a4

SHA512
b5b2b969a84367c853a6a82c4f2c547235da6e6c2318b8f2191a77470e4d492b697e87e82d5d3cf4abd6a96f7300cc38d3507f410f3e9fda566b02f63697b5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ac0858ec-36ae-4074-ad7e-c4c2173d9c4a.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit