588039bb0b2025b16aa5603ff58c5ec24a59bc8fd0ceb9af65988f152ae9daa9

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice document-#INV845167628520.html
Size

711B
MD5

4cfe983ceb1ec5f9b926c849f83e4cf2
SHA1

386b852105917fafe8a52d3263acc4023d472407
SHA256

588039bb0b2025b16aa5603ff58c5ec24a59bc8fd0ceb9af65988f152ae9daa9
SHA512

80e9eeaed34249cf76933c614f1e087e51dd4488af01e9317775670388537098a5fce3088047753fb818c131ffe99f5223a5dbc3d246981b5b6cbd2c4ea71618

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613801606295834"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
5168	chrome.exe
5168	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe
Token: SeShutdownPrivilege	2808	chrome.exe
Token: SeCreatePagefilePrivilege	2808	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe
2808	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2980	2808	chrome.exe	81
PID 2808 wrote to memory of 2980	2808	chrome.exe	81
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 4132	2808	chrome.exe	83
PID 2808 wrote to memory of 828	2808	chrome.exe	84
PID 2808 wrote to memory of 828	2808	chrome.exe	84
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85
PID 2808 wrote to memory of 2340	2808	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\Invoice document-#INV845167628520.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1ec8ab58,0x7ffa1ec8ab68,0x7ffa1ec8ab78
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:2
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=740 --field-trial-handle=1876,i,9902207246844346822,5914440384042355216,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5168

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
65660919e87a9ff43adf5ce990a49324

SHA1
781e9a54597a610faa7361a55b96078a0794ee34

SHA256
306029ca56aa461fa7fb56bdc56e50caab219618a6e5cf52d13ac59805bad7fb

SHA512
5dae4c798ad7d91df8d655c3b04e86385a49de190bc76e92a6d23973c73332897dbf83c0635441f90929ee525ec673de4f5af3c1c062b9cc3441654c1b96c5c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
bcbe9bf109f0ea172dcf43f666916445

SHA1
fb9dfe8195a9c9906159b6f584335146a77b815f

SHA256
f506e8b2a5343b8b585274e9f2a3edb7f8ee3b7f8d41904ffa8848b236bdd929

SHA512
6a1abe476dc9a885a721f032052a54b59744aa74772e6f09b18fc1e08aa2caabee914330c2a2b9b0d1d2be59797bc12118437fa782c49a95c3f0c082699947e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6abb92ce65423c69f08ea1e575796314

SHA1
8fb32d8df661184547f1e7d654a2658be8a0a276

SHA256
66ac04b3da0947671410ea130b78ddb620e37cf83f5a792f3cd3190a2a945858

SHA512
257f0b19f65d66b3674433524d1b64667f8a8cd47e6fb5903df06e34e290cd4b30411ab46359dd304e7be200f3aacd44e7974e1a5aea5066731f4f91789db3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
3cd31110fdd8cd320c5f81a80d322099

SHA1
09916ef02e92a302fee6ca7d36d2b4c3475bd373

SHA256
3c2a88bec08530170948a8f0e09840f8bee3cca7465ab783e087f75b4e16cf73

SHA512
1555990e75af0cb3a3a08b6698d41de9adf821fc1f6aafdf8b35616dc19fcef5994b7fa5fc93b2b0a7961de2154cf31db4eb5bdf03ed3cb8a98feb9ac9623754

Download Submit