hxxp://download3[.]vmware[.]com

Analysis

max time kernel
1799s
max time network
1686s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07-06-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://download3.vmware.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622463606882039"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1868	224	chrome.exe	77
PID 224 wrote to memory of 1868	224	chrome.exe	77
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 1084	224	chrome.exe	78
PID 224 wrote to memory of 3588	224	chrome.exe	79
PID 224 wrote to memory of 3588	224	chrome.exe	79
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80
PID 224 wrote to memory of 4136	224	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://download3.vmware.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde20cab58,0x7ffde20cab68,0x7ffde20cab78
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:2
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2772 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2808 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3672 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3720 --field-trial-handle=1780,i,1230184338188949791,15013145719820507223,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
933B

MD5
7f976b7e356206628e3f05257dbc750c

SHA1
4e427095ce62acffd0235f32e6c1a41c2f3ad161

SHA256
79480b801606ee07882f20b7134a065bff6909926d64bb27bbc6fa532e0b3193

SHA512
6cbb279f7219e4d0e4f7807cb43105cc1d3bf8b2aafab38cc2b1f86d85277122b9a45824f08f9cec4e1b7e078f60e8b13d21b62e13105b6f2d2c30fe492a586a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b48752d754d593541d1d1276231349ed

SHA1
60b8b911c218075b343240dd18a782d768f69a26

SHA256
9947425792a730d8e7362b8e6a123160318bacf2bab28019df880df7d4480678

SHA512
7122b68aef1e906ab515f9f393761ad913a14581f3960782b912dcfd5b2025e487a4ad7a85d34ae1bca33ffac431aa61db88cbfe92c99b0bbc0b17c2727685be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e8d1383a37a11b2b21cb0602a9151689

SHA1
7e92cf32408fdc833c7eb8c01d9b793273c59493

SHA256
d996993993d4ac264e106ad77fb4c653828677d341017614b490e8f449f8f533

SHA512
494db00b2d0067d26171e7580202da298e7a5341cfdbe38f77da34efd11718f77e1ede14e1647d80670ed8192274f39198232f06871d8e2cb4547db7cd0c024a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a20d2f6a0053073a0c7735001e8eb14d

SHA1
64b7bd09fa8f163a0f3bff0264af7a31cb6dbe6d

SHA256
02a97458bec094d532fb0a638b9a5817d2cdf4b550bc3acde75a8a8fa44ac0bc

SHA512
6e34c55651bd4b519dc4ad6e3b91f1f73bbccf808271e395fdb3868a5f71a17c898b45acf1da455c2c3471cee74edec1f7a7f52c087ca0eab7403108d1388055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f57d7146ea8a215293320082d1973ced

SHA1
680811b8e54525247f628c3dd6807174d0b0f364

SHA256
db17add930f7023f53e81dfafe6a451d9a0c8fddaa58def60d9fa3cecea5d0dd

SHA512
53b964c121d24128e9fc822a686639c28c81eddd83275132774d8172b376db5b61f3bc9cb5f874d882902574546a5a71b0e985792903a0a6a550ec287e098aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
50b619941df69c8ebc961bc5c5b89ed3

SHA1
5d73b078fee13b6c63172ba4854b053da1c4aeff

SHA256
1e8912d375c808f5264c2c3591bdd20b9f01d4612f3371f5c4be488800090b30

SHA512
04de7607d291faa18d3c56df9bce9cc9a34d517634d789304d275643951cebc47234a45f85e16f3cf8fcbb15776cdc47bc9b43dc14bd622b984cd67726af07d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ecb5f2bcf70a82d5c9ff689d56f6ea89

SHA1
9e2788841e7a3ee5035c242aee76c6b63cb68944

SHA256
168f10e36b015e81e5bfe28f81086758768e4addcad14d607859370a2368d7f1

SHA512
13539729b30070a96ffb394c878b28bacdf42190966b5672551ab852e28c3c4cdb2e1e5085a7c27ff16bf4f667efdb28e601cf0039620cd880507069cd6da9d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f8917fb6c6e54408ab699b92380cf19e

SHA1
0baf82ee03d052c24b2554e6fbab9cf55f0572c2

SHA256
b23e62c0437b0f799efe07793a538a2d954e119f5e808c22bac16a79a43f6352

SHA512
3705e6709cc79bc8e0085e45e7187a7cf687e0112fbf8d12407e342ca73b8cf7691110042c07087c61940e7b36afc4d86551d928fdd5ebcec86c90c7c7fa0554

Download Submit