hxxps://anasdrive[.]stradeanas[.]it/s/nprsZ4am7QsrHxQ

Analysis

max time kernel
70s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anasdrive.stradeanas.it/s/nprsZ4am7QsrHxQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609038403171269"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f99cafaa32a1da017f1372a238a1da015f942974b6acda0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 200000001a00eebbfe2300001000686a2835573ca141bbb10eae73d76c9500000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f99cafaa32a1da01437713ae32a1da015c08eaae32a1da0114000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Videos"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

448 chrome.exe
448 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

1108 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

448 chrome.exe
448 chrome.exe

pid	process
1108	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeRestorePrivilege	1652	7zG.exe
Token: 35	1652	7zG.exe
Token: SeSecurityPrivilege	1652	7zG.exe
Token: SeSecurityPrivilege	1652	7zG.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeCreatePagefilePrivilege	448	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	process
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
1652	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

1108 chrome.exe

pid	process
1108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 448 wrote to memory of 3248	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 3248	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 4460	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 832	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 832	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe
PID 448 wrote to memory of 2364	448	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://anasdrive.stradeanas.it/s/nprsZ4am7QsrHxQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaef9ab58,0x7ffbaef9ab68,0x7ffbaef9ab78
2⤵
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:2
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:8
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:1
2⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:1
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:8
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1840,i,12559127308591997466,2892622564077229786,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4872

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3347:84:7zEvent5384
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
d8265783ea226eeaeb4192bac776f4d3

SHA1
8737a8d94e23fc5d78476254bf7643eacb5707cd

SHA256
a715530358d2b431e8180b886cf3f4bd8813c3e0f392942d1054d525fd0ea6c8

SHA512
7c53b2faa9cbf13a9252d177299dd0ad14c22e8c82933f177395b04dd7321078bbf3b8f77e92dc52ab879ec226a7bd4247ebc646964a6d2f00f8046152be9f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6bafc2d4-4f2a-4b19-bd06-40f3966bfb5c.tmp

Filesize
523B

MD5
fc77b02ac173015a24e0a01ab677102c

SHA1
c11608c03c28d423a772ef276a539d6d5f83dfd9

SHA256
8c9981f574fe2070f574d19f343c84dc0abc9f4f959468aef6dfee80b65687b3

SHA512
cbd24a6c598ccc9943ee1e2c81c25b98a0bf2ea410855b233e7f3887748026cc3768c0ef2e48aded0c53bf63c43839707442f43931f560e981ec3850f7c2e208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2311ae45698bf49cdc78589f53a01b16

SHA1
9f513bdf6541e3e239dac8967173e0cb4637a4e3

SHA256
405ba139c4180fb5ff3a9dad8364ff865741bce1918fb31f5ac1ca961714975c

SHA512
d73cf4d82e7d8ed392e59bc83542459276cd7e35c210fc589140229480cfb20027a3d974720fd3e2191104fe2e986084bfb7cdd4cd69ddfe7d52d89912facf55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
6f96c53e17e85c289979b3dbda8ffd72

SHA1
f0027b917cbdbb60bb8e6b8a70bb15cfd0604c21

SHA256
5661848a36fb49b1a9406315f2634f11bd7f28c030472d07371259b2df68fb40

SHA512
c7a58089045508a9f73a2c2dbbf5c01568b6759a0b7f22e95a238f0a3db30e5e3005fd7c496f1e86e22d2224a0a20ffe2a9ca49f35e96459732b2dd0bc27b1bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
baed455e4fe02ac437b7fb26d907dd48

SHA1
9f94d06293491b896444039dae6a7b9cc322cc81

SHA256
8a60dfbe9a16debe9a65759f45c87827cdc274d5f75d9de8ad6351c9e26d6d92

SHA512
9e71099b72a616f9194a4e9627b30034d453a262a15e1b6c62137ec2d9465d48d9fd1cb09995b9636f742dc7e9cf0dcfca319ad26ccdbbbfdbc804b90114f418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
56d12683625fd8b59d37e06d42dcfb23

SHA1
ccf25c556dfe2040b5fcc32ddd5bd00615f5c7d9

SHA256
368650f64e24bff2ca13bb083c36650b8ad4e73e3b890a83cc549b643d700069

SHA512
3f417f598045de2935d39a441677a8cf6340e0b274410c65db89186ca262108d7f5e92b282324de4b089f5f582e1673646cdf3d0fcbb40078559ef9ab900fa8f

Download Submit
C:\Users\Admin\Downloads\SIEM-Davide.zip

Filesize
122B

MD5
8d82dc02e80c16f29496b7bc39ee7cc3

SHA1
99d05953ee541172379e8b5fc685a9146656b5ea

SHA256
ef131096d429b15d0ac7d00a4c21e40a8d6943469820038840bd41005e5fd2ff

SHA512
e2f725cb290fbd63aa5e87d98479808f2a64cea10987a75d210c4f2a144be39801b66d300a34ccb19b8ca485a4ec7b79d5d44c9a8879c856cb90509e37bee548

Download Submit
\??\pipe\crashpad_448_SDHFJWZQSMNXHIYN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit