hxxps://download[.]tt2dd[.]com/

Resubmissions

22/05/2024, 04:29

240522-e39m3aca78 10

11/05/2024, 11:09

11/05/2024, 10:59

09/05/2024, 13:02

04/05/2024, 06:42

02/05/2024, 14:21

Analysis

max time kernel
306s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/05/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598989136777405"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeCreatePagefilePrivilege	1768	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 5104	1768	chrome.exe	73
PID 1768 wrote to memory of 5104	1768	chrome.exe	73
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 2116	1768	chrome.exe	75
PID 1768 wrote to memory of 4652	1768	chrome.exe	76
PID 1768 wrote to memory of 4652	1768	chrome.exe	76
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77
PID 1768 wrote to memory of 3916	1768	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffff55f9758,0x7ffff55f9768,0x7ffff55f9778
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:2
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1832,i,14929414872013743735,4637572613100040030,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
903B

MD5
bc8ed12a7929cfa42f52da75e8ba9851

SHA1
9a537bf36848254edda25ae8ac0027759d30fa75

SHA256
376b951b5e1e0b780598422cec8a61e3fd157d35c51c06420231a9b63f1933ae

SHA512
ad8d2706eaa49b33bb04d160f1d08049447bb17856611de85009b289f3f89714da0cd068fa4e8ba77e49a1f4ec2010e1c7a5e280c981bf3b7e24ea484d9c69b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
313126e167659e3cd551a97b9c359137

SHA1
81fa197525a9132d72d2f66e86c1d236d7fc9521

SHA256
fc0dfe508e3ab6c2f34f61d15c7e2e2dbbceaa2de1e0c27ffe170e52f4fc7a90

SHA512
f78fef581f64e736f00f306c0023991a1c0d4acdeff3f993371862364b315b0fd600505644161a59b826fe7df27e25846d47827318aeb3ac1db8349b025f1537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9961b70a54c527e9f0be30cd75118512

SHA1
8f4cc67f0fe3fdf546d56dc38dbb2137a2079a5a

SHA256
7303073d22143380e8c2b9eff7766d90c923cb1513dc19bfa96534a6e4c31ba3

SHA512
7a9936a318a1ab81ac4dfe5c58daed77da430187728f941792162f94abe823163b8c03097703b564a7674d12de1d8cc44b33b69391723e011d7666eef773e440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
3d8fc247fcaa1d9d880904d140e90015

SHA1
94b9fc1164fa304739705b647c3f77baee6942cb

SHA256
30763895b2c8d3dd13f0c40678adc29dd3d51d6cfdc7342414ec6a8ea34d634f

SHA512
1a1bb7392a2e9fe4c86ab25f6637c161bc313f8df1283ad506b7ef455f3e99a0f1dec0ad58bcda255ffc897d2ad710091ace8e2b8ce4aff6e731ded85078c352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
164KB

MD5
b8857404f76ac5d28724be66dce189bb

SHA1
70971e957526cd3111fff4d1c0b0071f3d984966

SHA256
96c3f1cf3027d7735a4c0f418b9bb0bdaaaf2c24cb68409730da9c8a1cb24661

SHA512
65c782102c6ee0a193d6364905a19395fe65b34db8c05f07f19196f62d64bed2c1b0e91ade5dd84425c2af3423fcabb971b9e581f0361b105709df90a1383d13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
60801fc627c1ca02d531c6c6519fa100

SHA1
a0fe1499da04b2ca09f64c72b5456f69040b6283

SHA256
56a3b43fbb5165ff7198acdf314c5b748ecc7809dc5d442525783ac13cb344af

SHA512
9e9189681def1c7966948c1b236f46f90114527b6ca0c0a0fea53d9aed834d83399e181054e16508d90cbdf7106e6842cfb942049a9daaba40857b27578e3f8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
c8c746308df195938898916c0bd0bf99

SHA1
4906c59a77867b023c6afb0325a8ed352dd58776

SHA256
db41f7ec09c7cfe20b221db4f129aa8c4e237a47d8e3a8c5c46a14d371dd883c

SHA512
939f698b8407c6985f1d38b5807f61c0388d3fd6c0c02c14292554423c0a93cc82ce451a4a01271a39d0a87ea5a7eec2281d08d02210ffc5e7fb0ec7f61086c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit