Analysis

  • max time kernel
    155s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/05/2024, 17:04

General

  • Target

    exit_handle.py

  • Size

    1011B

  • MD5

    e18e0ad584daf35d31774e6d251b2186

  • SHA1

    4ef9906de6fb205ce65bf0338f1f72a108220d4d

  • SHA256

    33368eff18d60a9daf900e5ba274e533c690ea6645cfe5ab51eebef6617a3c71

  • SHA512

    19b4e07bfec1b5cd7bbd66ab05f8af19b2453e0c6ee697c03d46f19a9dc9f4957091f564f3cc7b317345f652e67df717f701a1237c8f5d6270cea82d50903a30

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\exit_handle.py
    1⤵
    • Modifies registry class
    PID:2444
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4056
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe8,0x114,0x7ffc503dab58,0x7ffc503dab68,0x7ffc503dab78
      2⤵
        PID:3912
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:2
        2⤵
          PID:1904
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
          2⤵
            PID:816
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
            2⤵
              PID:3672
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:1
              2⤵
                PID:2584
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:1
                2⤵
                  PID:1608
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:1
                  2⤵
                    PID:1568
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                    2⤵
                      PID:4120
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                      2⤵
                        PID:2644
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                        2⤵
                          PID:4996
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                          2⤵
                            PID:4748
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                            2⤵
                              PID:4108
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4864 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:1
                              2⤵
                                PID:2440
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                                2⤵
                                  PID:2556
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                                  2⤵
                                  • NTFS ADS
                                  PID:2596
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4076 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:1
                                  2⤵
                                    PID:1112
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:8
                                    2⤵
                                      PID:1876
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1244 --field-trial-handle=1848,i,8266432184609628834,4296063775963655766,131072 /prefetch:2
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5068
                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                    1⤵
                                      PID:4224
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:2644
                                      • C:\Program Files\7-Zip\7zG.exe
                                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\prod\" -spe -an -ai#7zMap3744:70:7zEvent22060
                                        1⤵
                                        • Suspicious use of FindShellTrayWindow
                                        PID:648

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                        Filesize

                                        1KB

                                        MD5

                                        1b9d040638e276347c1e94fa6145fa3a

                                        SHA1

                                        d7f015631200c4a681b7d1d09805fdb3e897e05f

                                        SHA256

                                        db1272739fb9bbb549584960f780845481ab743b74e6b71ed1353f1c7127df65

                                        SHA512

                                        5b158db9bbb7ec7ea182743ee2950a31717868445b822b003b0da4e804cc71556b126bd92186ff72e626fb3e06abe0254c3820614d89a6104d9b9d89b804edb4

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                        Filesize

                                        2B

                                        MD5

                                        d751713988987e9331980363e24189ce

                                        SHA1

                                        97d170e1550eee4afc0af065b78cda302a97674c

                                        SHA256

                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                        SHA512

                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                        Filesize

                                        354B

                                        MD5

                                        7c62cf7d146117acdc3ce4d669f59a8e

                                        SHA1

                                        441c30dfebdf59f20a9cbf8ad074fbe3dc487a6e

                                        SHA256

                                        a8092419dadd14a8f050144b368b27ff5928e2f45eaaba9bc87d18919de96752

                                        SHA512

                                        64658fe9eee8b288dbf894f4735fdf25f6881e1b5d24bf7834982c2162b9475e5d70524edf961dfa438ae9271c2a22c007d75defc87ef64e495ab70eec1bee9f

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        06ff74ed5d0ae0a2dac778529ecc71c0

                                        SHA1

                                        99b7374112c5d49096b9a2c3df24302a122429c9

                                        SHA256

                                        368c6125f41f691f8bd31c7f40007c1ee4dccb758c56396ec72b555c5744beff

                                        SHA512

                                        ad8e8b1adcbe513fe5a51e2b30b5138448d19df8a2ff38ec196a61207144ed73ee4bf2593e60a302bf322061b1fb0133828cbd82eb120017cbe2702050f6f241

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        7KB

                                        MD5

                                        0434087272987af025797e4e075dd702

                                        SHA1

                                        79fe8962081a744b68b942f4a9d9c08986bccd20

                                        SHA256

                                        758fff6fb6387cb25e4408f9a93d91b4f44914c588a73dd452376e90a15c1beb

                                        SHA512

                                        73c768b4a9e621aa4889544cf1c42a39b3e7c0dd9b9682cbf2f3164d28849daa59ee517b25c281644d77372dc7431908828fcbd42cc063adde64713bd10b4543

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                        Filesize

                                        16KB

                                        MD5

                                        4faed4e1d40de1e14ccfa395f44b53b6

                                        SHA1

                                        75135499e7ad004fdab4adf5c7978aad3b0dd7aa

                                        SHA256

                                        15f9f3f894585fbd14462811a6ebb7d8aa06206982ce05c9590d399209bf3c5b

                                        SHA512

                                        062f1138e9ad0e5a05109ac3b4044b74ef0e340c6a02c4f1e07de3e69f61591d299868aa293f60cd1ae1432ea13ee451f7a21df9619ebfe9e629d759bf4a1d93

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                        Filesize

                                        259KB

                                        MD5

                                        c11d374252f72686eeec22827ed7262b

                                        SHA1

                                        706720ecab7ebce2de01a7ece5b01db64d84000c

                                        SHA256

                                        ad4799c4344cb24fa4aa331f7618dcf3fa7d434dd7fef9d227b9f6fff85763aa

                                        SHA512

                                        773c34690663f94cecff609582f694ead7f3ba665a8773938070f5fdc9750410ef00a566602e2ab989103304e258df3bc23ed1e9a547b4dd812c237cda9fc4fd

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                        Filesize

                                        259KB

                                        MD5

                                        4b46f9868d1b4c2eb6f5a7b000102d9f

                                        SHA1

                                        6b342950f73c05290973ec923f64e957a89ed5e3

                                        SHA256

                                        442c5d29bd1839a56795566db84d2f3d962639db65f63236e21a2ba742b1523c

                                        SHA512

                                        64f181bd698abec6aea9b915925a949cc0c06a3a8af7b1404750901327fbc7668e2f732ab423a0cb0bf85dbddc6f32467cdd81ea3b2e378dcdabf0827b6cae1a

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                        Filesize

                                        87KB

                                        MD5

                                        9c0b6baf980ecf019bf39764606c2a81

                                        SHA1

                                        a825c95211d615fcecb08e2bf919dd0e662a8b91

                                        SHA256

                                        7b09ffa9b4c8bb3b093cbd61ef59bc84850764a876ff65a9bd9b0ca80d1066c8

                                        SHA512

                                        5cba65cfd00cad716a0c6956dfa71751420933c0cd943249074646f524b93c5f0fc1bd67d5c50a454fa5d69d1b625bec7aadaf7bcb00647230fa9a4ada8672d9

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                        Filesize

                                        92KB

                                        MD5

                                        16a9dc9196cb96cb0acbcf8752da4932

                                        SHA1

                                        546d4ae3649ac0cbc1c0bfe7bd3667f50313ce01

                                        SHA256

                                        9abc151dd5742aa17665b009e3b7168c0602c266a7524e649b7373023207c807

                                        SHA512

                                        0f1a2be6aa589a8bae81cad634ba6952f9ffd4940cb280be8fe7a65bb4a485997ed482a315aa6e113e0909b5890f6d514349047ab6b4ab46917bd78045dcf615

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584273.TMP

                                        Filesize

                                        82KB

                                        MD5

                                        74169b72ca6ba57af1b77e2d59a3ea49

                                        SHA1

                                        ce5e109ddc44bc37a8676fc7fa993386bdccfa70

                                        SHA256

                                        f08b76acdd51889b66511e0d2b3e76ac417f83be2f8a6d660da29aa6e501a461

                                        SHA512

                                        8702d2b42a4fb318a821e0b2a8ea3abe3bf723264b2b7977fe2d48d5330e2ecc862cbbcb8b6bc9f6a4d8270dfaeb4289cc03bb741e52daab3198742bd7e51c82

                                      • C:\Users\Admin\Downloads\prod.zip.crdownload

                                        Filesize

                                        1.1MB

                                        MD5

                                        c570b128e070834bbc6e5bb6a7b3dc4e

                                        SHA1

                                        69fd326f3a4ecd02982478e37c665b215b71c9c1

                                        SHA256

                                        f0f206cf61b6d5292dcc4e45e7360e2de99a33726be7691512776f60d80de20c

                                        SHA512

                                        94bd343df97a407f1145a3196f0a8b44eb27448fbd95a37f70cfa56ef9a1559407194f7e5c74ffdfdb0d0f250d0b9018dccb9e9ebf7c208f9a225b65a5c9401a

                                      • C:\Users\Admin\Downloads\prod.zip:Zone.Identifier

                                        Filesize

                                        26B

                                        MD5

                                        fbccf14d504b7b2dbcb5a5bda75bd93b

                                        SHA1

                                        d59fc84cdd5217c6cf74785703655f78da6b582b

                                        SHA256

                                        eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                        SHA512

                                        aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98