hxxps://www[.]mediafire[.]com/file/u4fzdvuiy7z1488/Pooke[.]rar/file

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/u4fzdvuiy7z1488/Pooke.rar/file

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599568542143784"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
3268	chrome.exe
3268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1916	2888	chrome.exe	82
PID 2888 wrote to memory of 1916	2888	chrome.exe	82
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 228	2888	chrome.exe	83
PID 2888 wrote to memory of 2484	2888	chrome.exe	84
PID 2888 wrote to memory of 2484	2888	chrome.exe	84
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85
PID 2888 wrote to memory of 2464	2888	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/u4fzdvuiy7z1488/Pooke.rar/file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc2abab58,0x7ffdc2abab68,0x7ffdc2abab78
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:2
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1836,i,10627031602037412938,13405873548355474865,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3268

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
46cd7c207503b083ae13dd29f037d485

SHA1
c00868531d32a94d545004decc92b3b1ab49ab11

SHA256
43e8b850a10dc2048a7465f96a1c530c7ffdc1e48667f091897a675cda9068d2

SHA512
c8f8f60740f18572a83332fef2d8d4103d42723c20d18e262369d865ef4169b0ae0c23f9b24cdeb5fae3cfffaefd97d8b5635a10ca1423c0feabc9c369b757d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
9bd9f7d48a335b57b891af0dc09e6632

SHA1
b77b49eb3853e24f8bcb260f89748b7717809a96

SHA256
bbe6f70d54df9ccc2f63caa8b474ad196fb8826dc632d2a74c2a9fc60da889dd

SHA512
33cbce8e57b0056e55f6e46026075a1025035f7601344662dc667be46849882c985238ad004b74e1c770750e07f037126c41feee108aaa217270626dacef9280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
adc6ff67dfdfa061a451a625fcb50e0c

SHA1
506f6ec2b25ee2c2755cdf94c251d71a5c40d152

SHA256
4130d2a51512ca7a6c2ef34aab6161a370a40397eb47d559df8e97f9f9ac7b91

SHA512
b471ea0c57f6deee87b2fe1e261034be9923773df28456ca65373d2dae40ab1e361ff1748a3b47d3b85766d83e751b22df4498eb6ae97bc610c3f2f03004b72e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8937b714510f5f70ecb7254bf725cdb6

SHA1
e03b3165f988507b18b7c36f990fcc0fb5488946

SHA256
8fb349febb5f730ab6e54c9c926a3f95327e2c4861c650653ca32522f84af321

SHA512
1be0afb94e100df415d8cafbb3c4ab36964a74749179e976dc04ca70283d8cc21505544b14dc67db97ad4e3b9d707761c1bfa6dba897ab5c5e610db81b3f023e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
45d25aaeb08daf0600b6cdea967eb447

SHA1
ec7f7e63bbd436f5046ac4d8c59e115d40da225c

SHA256
5ac47a9d5c2c15e394a851a982ec76b681edf0dad0a8a7a07f01276bf692cf53

SHA512
a5ec1db84c915cc6388018901b5d115eb1eb6eb5116dec9bbb2df548bb4b7598ef65614b1533c98ef1be0db1aebcfa831b91a8c053e2bafe6f4af03ba8c840e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
47887aa96487313a3f3f45e1d73e9a2a

SHA1
b431daddedef126ab8c5316c9ec76eafbf857b63

SHA256
0633879f5b9ec1043bab683c97a7e9ce4fb7af7be4533da7eba3088d6da2d25d

SHA512
3f979341e3113ab477e0747cd7d41b969a63890c9df0100a07e0eb34abbbcaec178f4fc1287758533b3548b3bff4da1277b233af9448d9ac860378a17983cac8

Download Submit