16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Text Document mod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618735341276869"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4836 chrome.exe
4836 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4836 chrome.exe
4836 chrome.exe
4836 chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

New Text Document mod.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3720	New Text Document mod.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exechrome.exe

description	pid	process	target process
PID 3720 wrote to memory of 4836	3720	New Text Document mod.exe	chrome.exe
PID 3720 wrote to memory of 4836	3720	New Text Document mod.exe	chrome.exe
PID 4836 wrote to memory of 2000	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 2000	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 4336	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 5068	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 5068	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe
PID 4836 wrote to memory of 1588	4836	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffbfab1ab58,0x7ffbfab1ab68,0x7ffbfab1ab78
3⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:2
3⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
3⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
3⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:1
3⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:1
3⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:1
3⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
3⤵
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
3⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
3⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
3⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1960,i,7335467111910587257,2922281275308827548,131072 /prefetch:8
3⤵
PID:2340

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
383554d2427be45abd5fdee8bc03fb55

SHA1
2b6251d92278b7541cb36a1eb3d86b911198096f

SHA256
a022d8603c8a9ad52bad65f0bcbadee2d1e20143fb3c9c4db0db2989e2108c75

SHA512
e129ba1f54ff5141830c87c689afa46d5d211e41913d94c7cff67563c5639ef99db0c3a9fd58ee69f957cbede931e259ba4421df1ea98cd2de1995fac0f9f353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
44474e5682dbe74292400d65b1764594

SHA1
1fcf5b4286adfc1694e75d656e18cedb5a480d06

SHA256
4a0caaf63ca4425830158baa5f37eb58f2df4855b9fd04b152ba8455ca2e9560

SHA512
8b08899f75eb3a6edcfdd1464af60766ceeea069d08b962139726729b7bd70729c3141d179ea928c1f18d65559514848fb24c9b6a9c05d5c03681b052b061428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
886231d2c30508c535f715cb78b41aeb

SHA1
b86bdbc70b71c52cd7ae57863944e0a28b0b34cf

SHA256
8ef26bf4d813a16050ee916ad5524bfc407f69ac8747d49f01dd6ea60c9bc50b

SHA512
a3d15cada9026fe081abb5c0f07217e5d8bfa7d55dfdb25a4a79fc725309cd84de102c85f87722711b49eba8111f8924be0490fdb307e026b96da388a02fb692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
3216dc71aaca6c8ad190e9d1f4c441a4

SHA1
7fbaaeec273e793b40a51350e91979dc202d6e57

SHA256
5ba6ba766205f05441be06b5fd3275229bcbab1046802d180f91ead3db1e9479

SHA512
6ac8ba7e2ff9472e060088372cad97c7e5f333f290ae0b3310641fc62b033e76fdd10e4e45ba88fc6b48a80baad937ed4b036635c20ec6e8d08b83af1cce43a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
4f55b3792bc3a7d56276f09c51b37976

SHA1
dfcb03d45c39bc2c47a6470ccd7d92ed360e44e0

SHA256
576c121f9d48ba961051436aee35a45a8127923c6cc7392e1b8df2367f989a9f

SHA512
ce0fc2380b7240a7530d2937b3f4559bf4fc6fc396084b065e5170f33cb5cd784536f94d618b6208bdef305f7827dafa0ef0e687fed5821ac640b9267b1e8365

Download Submit
\??\pipe\crashpad_4836_FVSFAKVHKWSAMLDD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3720-0-0x00007FFBFE6C3000-0x00007FFBFE6C5000-memory.dmp

Filesize
8KB

Download
memory/3720-1-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/3720-2-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

Filesize
10.8MB

Download
memory/3720-3-0x00007FFBFE6C3000-0x00007FFBFE6C5000-memory.dmp

Filesize
8KB

Download
memory/3720-4-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads