99f5045fffbffb745d67fe3a065a953c4a3d9c253b868892d9b685b0ee7d07b8

Analysis

max time kernel
62s
max time network
69s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16/05/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nssm-2.24-101-g897c7ad/ChangeLog.vbs
Size

8KB
MD5

18a2b15fbe354823cebec12d241e0c28
SHA1

9ea3acdcf0c538c6628090827e662c31b489e223
SHA256

0a1c351ea5f1daaac6e909686d1244bc72274a9f0190aa6e769cde95e689331b
SHA512

a5664d7dc3a6f33c9695671c28563f265d5a7a2d6613616ee3ff10ba0c644b1e9ad7ba442b7157fdf1827c1bca88375257003c7d04f529173636793e758dead1
SSDEEP

192:7GOasBIBUT0rTh/WACTx7pyMOr8v2Xqd15Yg/h7bOg:3NORWFTLyMOr6HdrJhD

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133603180654955789"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	chrome.exe
1500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1656	1500	chrome.exe	89
PID 1500 wrote to memory of 1656	1500	chrome.exe	89
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 1196	1500	chrome.exe	90
PID 1500 wrote to memory of 4960	1500	chrome.exe	91
PID 1500 wrote to memory of 4960	1500	chrome.exe	91
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92
PID 1500 wrote to memory of 1052	1500	chrome.exe	92

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nssm-2.24-101-g897c7ad\ChangeLog.vbs"
1⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffe18e5ab58,0x7ffe18e5ab68,0x7ffe18e5ab78
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:2
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1824,i,7168099815377346198,10408904800180949359,131072 /prefetch:8
  2⤵
  PID:2692

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
327878c45b438c102fc161a39d0404c3

SHA1
195a3ec138c70e9eb3490cb36c6f7892ef6eda85

SHA256
8336f6ff680293710477c1a75a7473f0654525d84924e6eca85d398db5c8ec0d

SHA512
3458367d772cd77d1da0d2d59a010acf2dbc7eedff8e2d95334a7bd52e2a12ab9c16aacc4eda7c485bb5b1e9eac1c66052c1e2c6e256eb84531d1c81b0451ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d7c8fb061bc89db992c22baafb4cc62c

SHA1
8a1c23f3666e6932ea6ff447e7ae5b34fa4927e6

SHA256
42c1550e123d2857e2c81e3b318f3d00e5936284adc9f3fd55c6bd04b0cdf258

SHA512
fb554c26f270e1b040b544d7a4abd8fe96b60aab99e1f2491736421be1d1e0ebed199f449529280a760ed4e5d7bc5aa7e200da6b414383f88a32dcdb0a39f360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
98cae1c7a321a203bd70df747dcf484b

SHA1
95404eead017a9dc062561a46d7fea4cac8805b9

SHA256
835f9e005f00fc7a7b70d46d2a0f2c7967a499c47c8c3d9683532564e45d478c

SHA512
3f4a6bada8381903ffade498b5753a8da90b95ced74a954382407b4547fc91a80ec538c581949244c5c09af61cd5abb27d5019c3d9ba55b64aabe3e52d5644ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
908c23e8dccdc023ca438c9c4cc5ef18

SHA1
e5abf0c36311d176b66feb20645f9de1a959a2ac

SHA256
9ea618b5231e17ba64b783661d5ad434c8aa436cde70bda777a727ee746d1986

SHA512
3e75bc7f9f61f64af083b058c3874b3d2a726ecd82af0dcb06d0b5d62b60b76f21d0970e0c402c2b1352f6d08dbabc1009887a854b4a03f761a4dcc7aa512c8c

Download Submit