hxxps://www[.]dropbox[.]com/scl/fi/sflaqx6jwju35tz327688/TCCC-Fanta-Fenix-IT-Q224-Picnic-Creative-Reporting-20240501[.]xlsx?rlkey=c1ywlywdh33pgkfsx2olj6v18&dl=1

Analysis

max time kernel
50s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/sflaqx6jwju35tz327688/TCCC-Fanta-Fenix-IT-Q224-Picnic-Creative-Reporting-20240501.xlsx?rlkey=c1ywlywdh33pgkfsx2olj6v18&dl=1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628497069335956"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4180	chrome.exe
4180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe
Token: SeShutdownPrivilege	4180	chrome.exe
Token: SeCreatePagefilePrivilege	4180	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe
4180	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 2240	4180	chrome.exe	82
PID 4180 wrote to memory of 2240	4180	chrome.exe	82
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 4388	4180	chrome.exe	85
PID 4180 wrote to memory of 2084	4180	chrome.exe	86
PID 4180 wrote to memory of 2084	4180	chrome.exe	86
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87
PID 4180 wrote to memory of 648	4180	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/sflaqx6jwju35tz327688/TCCC-Fanta-Fenix-IT-Q224-Picnic-Creative-Reporting-20240501.xlsx?rlkey=c1ywlywdh33pgkfsx2olj6v18&dl=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e7ab58,0x7ff8e7e7ab68,0x7ff8e7e7ab78
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5116 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4148 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4908 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5092 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:1
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3952 --field-trial-handle=1892,i,17033111205419053897,9020132517560673652,131072 /prefetch:1
  2⤵
  PID:3104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4554ac01a84cbce4f73d77fac73c99c5

SHA1
4b0967b58eafcd6a790f8693c1d348e364faa824

SHA256
24b62759eed1413b0f159aaaf09ffc803d0a3409b079e4d93854472d3461b6f4

SHA512
779b1c75c4bc214ea0bd581a41938143ef78d977d4e7d053e3cac26f4255752898e48e798785287fdb0213ac6722659c4daabc88f3f43bb0e2f37f67a0acf0c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
93780bae1e95e6b382aa66d7d4185bda

SHA1
887398e2384db2e3a95da360890c2f448acdab9a

SHA256
768f3042fdd0d614176e48c6ddd91aa556db71f7583fa3d04a8fd2408e85bba6

SHA512
0f9e8234efe676abd5680fe44dc477ca9c80ac79f5ce202266312520cec7cb72ef536ca363dc17cd8e436298def8326b539a96cfa703ad42befd05c77c613f0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
8e088d26f5f15f0d4cb50950981d3df9

SHA1
91145889d66b687583e667a19af7a518298ab198

SHA256
8e09af264b844f3c55b612a37dc30422f52838c2bc0979b32ec8da17532c9ef5

SHA512
82591408bb0fba8373900892b11f080137c61017fb739056d56af556621d57313d7769c6651de316fa6764576b6697a30e5e097b75c6a825059dbfe7ca8426ab

Download Submit