hxxps://tenor[.]com/view/shrek-shrek-rizz-rizz-gif-11157824601050747846

Analysis

max time kernel
1799s
max time network
1686s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tenor.com/view/shrek-shrek-rizz-rizz-gif-11157824601050747846

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617386471617603"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3552	chrome.exe
3552	chrome.exe
4500	chrome.exe
4500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3552	chrome.exe
3552	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe
Token: SeShutdownPrivilege	3552	chrome.exe
Token: SeCreatePagefilePrivilege	3552	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe
3552	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 2384	3552	chrome.exe	78
PID 3552 wrote to memory of 2384	3552	chrome.exe	78
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3916	3552	chrome.exe	79
PID 3552 wrote to memory of 3484	3552	chrome.exe	80
PID 3552 wrote to memory of 3484	3552	chrome.exe	80
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81
PID 3552 wrote to memory of 4900	3552	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tenor.com/view/shrek-shrek-rizz-rizz-gif-11157824601050747846
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeb9adab58,0x7ffeb9adab68,0x7ffeb9adab78
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:1
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=928 --field-trial-handle=1832,i,7238565738843172012,16744789827119854476,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
491c4f169e66229a2b8ddbb52668386f

SHA1
0bc6469ea95a2b19090a86df3b2ecd4d5b2dc9e7

SHA256
f764124893c37fad54b27c1908c025e8ddf7c25acced4463f82e8bbc3c77368a

SHA512
1c84179da00947eab7b7274e0ce2c2389f23e9d0fb01e8ac24207ddd4f99ff58798ad0adecb459a9e47f9faf643d99549f66f2597e2bc77688818f4e48d75418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b1cc045375c5043d5619e142635cd9cf

SHA1
7f7e88bbef5edef3e2447bee4703179e41f73786

SHA256
401e3be872fe4fd82e975a36eebd499255104dbf3fbe621a81a28561dbdad135

SHA512
a393183a5560509ee53e275010cd0bbf84e7a558d79555053c6f15b145e2744c953c819cde5855d62fb586802bf862a5a64615f9173bcbc0aaf546aaeb7a1b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ab723bf26e26fa349b50546c069bbcb7

SHA1
f25152776c6b2a47f23dc714eb8ca820c32c801a

SHA256
e9826401485e94d19d828f8e8db8037dda195fbce69c38998922a4efb5147336

SHA512
570781dc524187f4e1d53181b9862487863760f1231eaf41facebc2d716b309ecf9a84266a5030d979a497ad3a175a9bb06275de550d67510fe13aa0f4e88c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
bbd4fe84238039fc84fba8e35449490e

SHA1
727f0d4bb393e5d59036cf8792c4c93cd06f1f69

SHA256
8175de6a209177ba8eb6d4446b966002b786d21d5fe525bef631753514af6edc

SHA512
50840ebe06135e72b02a598a44a2880be73d3ab25f6fc313337848864a51588a2224b3fe3267a9711f55ecb2d411c168e29d54a9151d821d30b6390e5005d68e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d2dbb28a1dc6b4e027fa41b1165631f2

SHA1
732768131898a8d1643efd64409a8b7fca2d0366

SHA256
d2e7fe24be01c74cc32c848e7b47932644ad3760bf77d873fa25787fc842456f

SHA512
965ef16465edc3b3ca5d8a424a109c0b9c66be92e16a09b2ecee01b6c11e53c6338bf8d4964ed29b9ff96841eb32bad46c2ea1f7e6b5c326cfb17f3e09a0493e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
48d14a64bb0b46d332370374e83d3d26

SHA1
f2abd818cd05df5713ae322c6c20ba4137b1f063

SHA256
9907936d7c9a30864be2b771f8724613f26d54db86e9cf7ca87162ee9dc3e601

SHA512
cf94265c56b818e044fabe0d6be761d2966caf4498fbd4eb00ca48d45e2abf5dbc0284bdb971ec7ae224a460ae8296111c6730a1e6e7537cb8682520659d7eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f06325c7e7a1e292472630dde7ef4574

SHA1
5392a513e3816e5a4ceba220d8c5ac49bb2e8ded

SHA256
cfc171d1143fe836b5047fd76cd59d77e3335591d0ada245e528ea9c4e6bba0b

SHA512
cb37a9ce2ac09fda47fff6d41d5afad0e473f4d194210aa1b52db5ed6be6a1c0b4b0bd43b6ac4d60c3cf14d9a9c207855a800ed7c7cf4b773354d9e5825437c5

Download Submit