16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618735341276869"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	New Text Document mod.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4836	3720	New Text Document mod.exe	94
PID 3720 wrote to memory of 4836	3720	New Text Document mod.exe	94
PID 4836 wrote to memory of 2000	4836	chrome.exe	95
PID 4836 wrote to memory of 2000	4836	chrome.exe	95
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 4336	4836	chrome.exe	96
PID 4836 wrote to memory of 5068	4836	chrome.exe	97
PID 4836 wrote to memory of 5068	4836	chrome.exe	97
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98
PID 4836 wrote to memory of 1588	4836	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffbfab1ab58,0x7ffbfab1ab68,0x7ffbfab1ab78
    3⤵
    PID:2000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:2
    3⤵
    PID:4336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
    3⤵
    PID:1588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:1
    3⤵
    PID:4840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
    3⤵
    PID:316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
    3⤵
    PID:5024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
    3⤵
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
    3⤵
    PID:2348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
    3⤵
    PID:2340

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
383554d2427be45abd5fdee8bc03fb55

SHA1
2b6251d92278b7541cb36a1eb3d86b911198096f

SHA256
a022d8603c8a9ad52bad65f0bcbadee2d1e20143fb3c9c4db0db2989e2108c75

SHA512
e129ba1f54ff5141830c87c689afa46d5d211e41913d94c7cff67563c5639ef99db0c3a9fd58ee69f957cbede931e259ba4421df1ea98cd2de1995fac0f9f353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
44474e5682dbe74292400d65b1764594

SHA1
1fcf5b4286adfc1694e75d656e18cedb5a480d06

SHA256
4a0caaf63ca4425830158baa5f37eb58f2df4855b9fd04b152ba8455ca2e9560

SHA512
8b08899f75eb3a6edcfdd1464af60766ceeea069d08b962139726729b7bd70729c3141d179ea928c1f18d65559514848fb24c9b6a9c05d5c03681b052b061428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
886231d2c30508c535f715cb78b41aeb

SHA1
b86bdbc70b71c52cd7ae57863944e0a28b0b34cf

SHA256
8ef26bf4d813a16050ee916ad5524bfc407f69ac8747d49f01dd6ea60c9bc50b

SHA512
a3d15cada9026fe081abb5c0f07217e5d8bfa7d55dfdb25a4a79fc725309cd84de102c85f87722711b49eba8111f8924be0490fdb307e026b96da388a02fb692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
3216dc71aaca6c8ad190e9d1f4c441a4

SHA1
7fbaaeec273e793b40a51350e91979dc202d6e57

SHA256
5ba6ba766205f05441be06b5fd3275229bcbab1046802d180f91ead3db1e9479

SHA512
6ac8ba7e2ff9472e060088372cad97c7e5f333f290ae0b3310641fc62b033e76fdd10e4e45ba88fc6b48a80baad937ed4b036635c20ec6e8d08b83af1cce43a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
4f55b3792bc3a7d56276f09c51b37976

SHA1
dfcb03d45c39bc2c47a6470ccd7d92ed360e44e0

SHA256
576c121f9d48ba961051436aee35a45a8127923c6cc7392e1b8df2367f989a9f

SHA512
ce0fc2380b7240a7530d2937b3f4559bf4fc6fc396084b065e5170f33cb5cd784536f94d618b6208bdef305f7827dafa0ef0e687fed5821ac640b9267b1e8365

Download Submit
memory/3720-0-0x00007FFBFE6C3000-0x00007FFBFE6C5000-memory.dmp

Filesize
8KB

Download
memory/3720-1-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/3720-2-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

Filesize
10.8MB

Download
memory/3720-3-0x00007FFBFE6C3000-0x00007FFBFE6C5000-memory.dmp

Filesize
8KB

Download
memory/3720-4-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

Filesize
10.8MB

Download