hxxps://uploadhaven[.]com/download/1fc43701d2def8953fa654e6636fe873

Analysis

max time kernel
210s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://uploadhaven.com/download/1fc43701d2def8953fa654e6636fe873

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608574513745921"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1284	chrome.exe
1284	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1284	chrome.exe
1284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe
Token: SeShutdownPrivilege	1284	chrome.exe
Token: SeCreatePagefilePrivilege	1284	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe
1284	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4472	1284	chrome.exe	83
PID 1284 wrote to memory of 4472	1284	chrome.exe	83
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 2996	1284	chrome.exe	84
PID 1284 wrote to memory of 4116	1284	chrome.exe	85
PID 1284 wrote to memory of 4116	1284	chrome.exe	85
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86
PID 1284 wrote to memory of 2888	1284	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://uploadhaven.com/download/1fc43701d2def8953fa654e6636fe873
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a6aab58,0x7ffb6a6aab68,0x7ffb6a6aab78
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 --field-trial-handle=1920,i,5010498914501802810,2094767914053951871,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:632

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d5658bce84b6fa27ee79369385d30195

SHA1
c3971f0e4390c8b770ef96f89292014348af42e3

SHA256
4424ab6392009d17de53c1a0506b791fe3d9f53fa0955bb0f3c420d300ca0014

SHA512
915124cbef44e96b53485186a2f7847e7d6aa011730b976b8f8fcc021373406043e8b0543c92763f3902acc525ce022edd6ac066c487c60f6fdb4832385ad21c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
db2613bdedcb22c7383cdd997d9837e1

SHA1
9d35960f8b02f4974891ee1905532d6063b1fa59

SHA256
a3d01aac86b8490a3df812f2bc2eaa69d3004fea223062d49059958f97a79046

SHA512
f879acdb2cb44322bd02acef58025b7a575dd8161f541fffcecb78fc272711b530dd8a8be8df768a3bfff4de3549232e45caaae514bc86c76dc8fe796435e0d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
4ec6024cb1e1a4377cdb7019c616891f

SHA1
a912e6d06c1d5d36fbb0b1016b08706dc3e29e13

SHA256
181ba5d96ec3312e9bdbdb397a999ee1005f1846b477c2c845b15e4c1ea8747a

SHA512
5ab42570d6b2109f8f2ecd3bea37a524b681fca2a78184a12c5525f2e4abc36b475d53c0b99b6a258ddd3ccd4fa2f5d891dfb8011024cf2de83f54e0c2d03631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
08304ddb90ce804b0c7d640d6a4232a2

SHA1
4e28058d09991205db800ffa2d5f69f2b78c1d8a

SHA256
dc0bfe6d3deb45a4b38640d42759a2c6a0a38d974ad1a032ccf5f68ef9a35b4d

SHA512
d833ad1cf855702fc9653c667b4720d373f2cbe182431bf155e4710c040d0c70093447262a5d3f3ef7201b5a98c46f8b033adceff59013dde783458615c37b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
97e38da88b2c00bb565141e2f4abf92a

SHA1
74eb7926a512f79b42d5d3311298f9e9d0726cbd

SHA256
7f4223cf8cd573190de54469d9064de09a15bfb5a4bd7d7f9b6b64aab9ea0146

SHA512
c47ac0004928b54cbaa7cf24bdf176708b0419f93041ca891a6c4f6fda18e81b6c07fe86ce34e750a64787c05d1bf9fddaba43c7d988e6908ecd38e341dbafe3

Download Submit