hxxps://download[.]tt2dd[.]com/

Resubmissions

22/05/2024, 04:29

240522-e39m3aca78 10

11/05/2024, 11:09

11/05/2024, 10:59

09/05/2024, 13:02

04/05/2024, 06:42

02/05/2024, 14:21

Analysis

max time kernel
222s
max time network
214s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/05/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598990031064236"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1340	1912	chrome.exe	77
PID 1912 wrote to memory of 1340	1912	chrome.exe	77
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3144	1912	chrome.exe	78
PID 1912 wrote to memory of 3580	1912	chrome.exe	79
PID 1912 wrote to memory of 3580	1912	chrome.exe	79
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80
PID 1912 wrote to memory of 2896	1912	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6bbab58,0x7ffaf6bbab68,0x7ffaf6bbab78
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:2
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 --field-trial-handle=1800,i,575479221801509109,13409107658844644862,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3829daa5dcdc18c7b98a69d2194ae15a

SHA1
30b83a1705d1f7544bf9994276adc06ebae15c6d

SHA256
2fd2c0feeccc465654f0cc3b6f32c2fa77537a11bf65f8e97b9efbf9ec49185c

SHA512
48077b0feabab0bf9f3737da0b54e4c64580d4fdfff51135c8408ae2686274c48fc9d11734fd0fd76399a9d509c0151ad437c8589b8dd276808c6a40f0337fc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
0768562facc4caca018cd6aedc7d52dc

SHA1
826f81768ebad842cda004d920e30945fe053da8

SHA256
03a646a45dd3a0f2fa14a2766cf9ab0697127c7fcb28dbc355d197a29f588df0

SHA512
967492bb62450327830baf7f4e5296eb908f6f243f1fc36d9d72bd6b78aa4ba9af7eeb3090524bc4dfa5cb99c1c3652efbc37bbde5a748524aa62beacfdbb09f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2f8c0c9fcb61db95edfe767f65b93574

SHA1
6d61b69852a930fc5b4d00a51f56f7137f299246

SHA256
41788a5c3a85fa833b258dab915a2b50d056eb2ef486e98714c30ee015fdf628

SHA512
e612778d7f9b0adce65816195a8dae33581fddd327601eafea54ab9450f9a03fa5edd79cf6f478720bac1701c5a21a327e707550d86e4be375a94846ff1fd8c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6654c458a1015cbacdfdc539f169c04a

SHA1
8e6877458dc2a69ff9ccdf744d335259ddc0e7f2

SHA256
abe58600dda484c337419b0a58b59da1a4e26210f7caa9e79f7c02f2dfcf1459

SHA512
2ccf9a6f398e12e72dbf5976a5e4ccee2ac3a64d9bef2d9a417ba1e4f6480afc60b03e726f7e3cf0d840a19488c6ed59b34f6c521c0e852cf780381c52bf0700

Download Submit