Analysis

  • max time kernel
    638s
  • max time network
    458s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 04:28

General

  • Target

    Google Chrome.exe

  • Size

    26KB

  • MD5

    403939b2425a7df005f44befea8def6f

  • SHA1

    7421540a7f9c1fe3062e3e8f074452f1fd252654

  • SHA256

    a59d6df0ae2c12f5d0249c1f7f8b66db170252de8406124bea2311802d6a27a0

  • SHA512

    7f87cb3ba2635fe372345f066d47df187b499856d756b2a6172cae0a0847afcecad9afede9d3a7f0bdede2f19b960b55bec0727aa5ecc5a9daa2d10964386414

  • SSDEEP

    768:fKH2QbtBI9n7tANtj0ciJV554H40ycNVV3CWE:Z8BI95ANt4HRCYFyVV3Y

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:540
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe2567ab58,0x7ffe2567ab68,0x7ffe2567ab78
      2⤵
        PID:3440
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:2
        2⤵
          PID:3004
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:8
          2⤵
            PID:4836
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:8
            2⤵
              PID:1484
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:1
              2⤵
                PID:4228
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:1
                2⤵
                  PID:3136
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:1
                  2⤵
                    PID:3992
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:8
                    2⤵
                      PID:2496
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:8
                      2⤵
                        PID:2040
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:8
                        2⤵
                          PID:2716
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:8
                          2⤵
                            PID:4376
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1840,i,12282038206625048111,11779349531199007023,131072 /prefetch:8
                            2⤵
                              PID:2840
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                            1⤵
                              PID:1464
                            • C:\Windows\SysWOW64\werfault.exe
                              werfault.exe /h /shared Global\a5adfb2cdf69445b87180c8365a03079 /t 3736 /p 540
                              1⤵
                                PID:5064
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:2796
                                • C:\Program Files\VideoLAN\VLC\vlc.exe
                                  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ExitClear.avi"
                                  1⤵
                                  • Suspicious behavior: AddClipboardFormatListener
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2588

                                Network

                                MITRE ATT&CK Matrix ATT&CK v13

                                Discovery

                                System Information Discovery

                                2
                                T1082

                                Query Registry

                                1
                                T1012

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                  Filesize

                                  264KB

                                  MD5

                                  f50f89a0a91564d0b8a211f8921aa7de

                                  SHA1

                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                  SHA256

                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                  SHA512

                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                  Filesize

                                  1KB

                                  MD5

                                  450e4645332948483aed0d9877498299

                                  SHA1

                                  4e354d2605d3b064cd86aca1f858972a53916029

                                  SHA256

                                  88ee45f24e79d6a581d524f0ef7011a1f92b62c98f9b8c23fec58b13bcf33497

                                  SHA512

                                  ccc045125d72b659fece31467faa467c83254e5b2c9e318744f273d7de9af28df849f3fac8fb7a845d874c2df1f8830c04fdd31c8033ce26c1375c11e3921179

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                  Filesize

                                  356B

                                  MD5

                                  a777d1a08f97000678858ebc12b0349b

                                  SHA1

                                  da9178e4c7e3c1d556160a58c43b385cdf3259b6

                                  SHA256

                                  378eba509c9b71bf4fbf317a8b77f4c0c284403952b3bb3ea5a0ca7f6e59dbb3

                                  SHA512

                                  bf8dc8a9912cfcf367d7df1b934763e7dc26fe2cdc2f3e82c44f7e74f6ef8c6d8f555b6e172ae30d77842bd59480a0a52a5f45cb53b361024968192872e3e56d

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  0cb74cd173f1b9abdb442a8275640ab0

                                  SHA1

                                  33b5fcbaee0e11f730b4136fe828459406d635f0

                                  SHA256

                                  4b5e171579693ef37edfbd8042d41eaf4881bd60b2fabdf071fa21ffbbaf4c92

                                  SHA512

                                  460a985ec0ffa84ac5b363c5d1d6e3b365cc71e0498da84393b669491a4077b60c245146d27480ba40d3163c384a4997b9352c0bf99c8e1974179ff28964eed3

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                  Filesize

                                  16KB

                                  MD5

                                  2ba64da670b788c68129761bc7424793

                                  SHA1

                                  7fbbc464035c07a2ef8acc6b9669f452df5867e3

                                  SHA256

                                  af740f3a5953401031ec4b540b410a85055e3b31ca199295af13f6aaa2d4d4e2

                                  SHA512

                                  85ea1960c48684f55428166aa523b3d145b91fb64d7c84587a8b73bc5796fa35d6ccf166153bf00aedc6efab445cbe3656f65ffd65e4dc639cae2b1490865a80

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  276KB

                                  MD5

                                  8542b309aeb4d7f8ee9e78d27ab04ae3

                                  SHA1

                                  2a4c263d54d4b45b80742703ebb1275c6894eaee

                                  SHA256

                                  ae02b21d73e72a7b762b69ebc6f03f50b0114b7d74e698e1e700b2b760c964df

                                  SHA512

                                  adff032ecb1215afc8209be97ac8db9c2024c5a0f93121b9b69e1521e6ea1c3d328cc6145ce0bf38bd2ced85a5f3ebb727247a96f49cbabadd798057ecf7b719

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  276KB

                                  MD5

                                  edc44412e118c22d294ac40870c6cb5f

                                  SHA1

                                  b2dce0ee930ff09adc7e37fc9996ceaa785a4255

                                  SHA256

                                  552e5033af2a2adb89403ac7e7394cf4b286245224340a1b98caa1fdbe6f38d9

                                  SHA512

                                  3b62e118463ccabc83afb3c6fc7c2b5bb6a22292a72bae2fb0b18f7cb06c193a66f5cba1202e0099a4a82f4f2ea60cda142710b298be842a9d0c6dc55f534e0f

                                • \??\pipe\crashpad_2404_PCQSEIWKUAFRNLIK
                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                • memory/540-4-0x00007FFE390E0000-0x00007FFE392E9000-memory.dmp
                                  Filesize

                                  2.0MB

                                • memory/540-45-0x00007FFE390E0000-0x00007FFE392E9000-memory.dmp
                                  Filesize

                                  2.0MB

                                • memory/540-5-0x0000000004BC0000-0x0000000004BCA000-memory.dmp
                                  Filesize

                                  40KB

                                • memory/540-0-0x00007FFE390E0000-0x00007FFE392E9000-memory.dmp
                                  Filesize

                                  2.0MB

                                • memory/540-3-0x0000000004B00000-0x0000000004B92000-memory.dmp
                                  Filesize

                                  584KB

                                • memory/540-2-0x00000000051E0000-0x0000000005786000-memory.dmp
                                  Filesize

                                  5.6MB

                                • memory/540-1-0x0000000000060000-0x000000000006C000-memory.dmp
                                  Filesize

                                  48KB

                                • memory/540-159-0x00007FFE390E0000-0x00007FFE392E9000-memory.dmp
                                  Filesize

                                  2.0MB

                                • memory/540-160-0x00007FFE390E0000-0x00007FFE392E9000-memory.dmp
                                  Filesize

                                  2.0MB

                                • memory/540-161-0x00007FFE390E0000-0x00007FFE392E9000-memory.dmp
                                  Filesize

                                  2.0MB

                                • memory/2588-172-0x00007FFE178E0000-0x00007FFE17AEB000-memory.dmp
                                  Filesize

                                  2.0MB

                                • memory/2588-184-0x00007FFE1E960000-0x00007FFE1E9C7000-memory.dmp
                                  Filesize

                                  412KB

                                • memory/2588-164-0x00007FFE184E0000-0x00007FFE18796000-memory.dmp
                                  Filesize

                                  2.7MB

                                • memory/2588-162-0x00007FF654B80000-0x00007FF654C78000-memory.dmp
                                  Filesize

                                  992KB

                                • memory/2588-173-0x00007FFE25710000-0x00007FFE25751000-memory.dmp
                                  Filesize

                                  260KB

                                • memory/2588-171-0x00007FFE293A0000-0x00007FFE293B1000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-170-0x00007FFE298D0000-0x00007FFE298ED000-memory.dmp
                                  Filesize

                                  116KB

                                • memory/2588-169-0x00007FFE299C0000-0x00007FFE299D1000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-175-0x00007FFE1FC30000-0x00007FFE1FC51000-memory.dmp
                                  Filesize

                                  132KB

                                • memory/2588-187-0x00007FFE17800000-0x00007FFE17857000-memory.dmp
                                  Filesize

                                  348KB

                                • memory/2588-188-0x00007FFE173D0000-0x00007FFE1758A000-memory.dmp
                                  Filesize

                                  1.7MB

                                • memory/2588-186-0x00007FFE1E940000-0x00007FFE1E951000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-185-0x00007FFE17860000-0x00007FFE178DC000-memory.dmp
                                  Filesize

                                  496KB

                                • memory/2588-163-0x00007FFE29A40000-0x00007FFE29A74000-memory.dmp
                                  Filesize

                                  208KB

                                • memory/2588-183-0x00007FFE1E9D0000-0x00007FFE1EA00000-memory.dmp
                                  Filesize

                                  192KB

                                • memory/2588-182-0x00007FFE1EA60000-0x00007FFE1EA78000-memory.dmp
                                  Filesize

                                  96KB

                                • memory/2588-181-0x00007FFE1EA80000-0x00007FFE1EA91000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-180-0x00007FFE1FBF0000-0x00007FFE1FC0B000-memory.dmp
                                  Filesize

                                  108KB

                                • memory/2588-179-0x00007FFE1FC10000-0x00007FFE1FC21000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-178-0x00007FFE253E0000-0x00007FFE253F1000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-177-0x00007FFE256F0000-0x00007FFE25701000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-176-0x00007FFE28B40000-0x00007FFE28B58000-memory.dmp
                                  Filesize

                                  96KB

                                • memory/2588-166-0x00007FFE2D270000-0x00007FFE2D287000-memory.dmp
                                  Filesize

                                  92KB

                                • memory/2588-165-0x00007FFE2D7C0000-0x00007FFE2D7D8000-memory.dmp
                                  Filesize

                                  96KB

                                • memory/2588-168-0x00007FFE2A280000-0x00007FFE2A297000-memory.dmp
                                  Filesize

                                  92KB

                                • memory/2588-167-0x00007FFE2A5A0000-0x00007FFE2A5B1000-memory.dmp
                                  Filesize

                                  68KB

                                • memory/2588-174-0x000001E0B1880000-0x000001E0B2930000-memory.dmp
                                  Filesize

                                  16.7MB

                                • memory/2588-201-0x000001E0B1880000-0x000001E0B2930000-memory.dmp
                                  Filesize

                                  16.7MB