3a31304ad27e35dbb01ca7135d4017aca07b806ce66792cac18d2283905b1697

Analysis

max time kernel
75s
max time network
73s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16/06/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ghidraRun.bat
Size

348B
MD5

de56028911ab02b943748073f7113949
SHA1

a15f5040b547a26a60692ef4e44f5eebe3cc466b
SHA256

3a31304ad27e35dbb01ca7135d4017aca07b806ce66792cac18d2283905b1697
SHA512

12989e5fff04875cd8bd141df5f01e31f929d85baf2882ef0f5b0e13c5f5f8fcdff85c631a8ff474e709f13197cf3c88a078f90ae7fcf3f58b87c50639644cc1

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629817438378568"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
736	chrome.exe
736	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3744	736	chrome.exe	81
PID 736 wrote to memory of 3744	736	chrome.exe	81
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3968	736	chrome.exe	82
PID 736 wrote to memory of 3584	736	chrome.exe	83
PID 736 wrote to memory of 3584	736	chrome.exe	83
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84
PID 736 wrote to memory of 4364	736	chrome.exe	84

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ghidraRun.bat"
1⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffef845ab58,0x7ffef845ab68,0x7ffef845ab78
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:2
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1348 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4816 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4360 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2872 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4796 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3848 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4880 --field-trial-handle=1764,i,1866723448672309351,3968960151104893130,131072 /prefetch:1
  2⤵
  PID:1172

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3d82c281cc6f4485c3c07f561834c909

SHA1
974fc446b90ddba97bbd2f46b7b9deaf1163f310

SHA256
aec08d0c4615177f99ab1d1a0e37b5051727ccf3121d1af731af83d8a4df4283

SHA512
b8bc5a230bdfb88d127b8008a5eb3fc9e9d79423339e3b33dc93c658a7b81831340ea771d189256dbaf0239f35fbc45fec24a758f32a65c6f0ea60ba2f6ddd3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5f4537b3db3ed1d4660d3bada99f6cbc

SHA1
f3f2cecf869acf9d19fcb779c0f12ae41c0e3776

SHA256
e622960ae389955aba6e0ddc5e07cf4f6496481ecbd7fed9c56381680e729a68

SHA512
77330157a2971a1bb4da3fa00674a39c0b5fb39c2cd23ed87fecec63844ed15d046adccaab0294690eef5ebd81ce5c70a30f7de68713e6dee48105b477345f82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
32d85b84ce6cb36bb3eeca43259c031d

SHA1
f5add23d5b7e9942e351422e1c9c79ca34f848ea

SHA256
0dfc205141ba8228fe3e29902d2abbe95e36b98444c17f99d4fa41e89276bbf4

SHA512
be16564bb85bc8290c9a7bdd9cb43c8d78e824d07230412de2c9e1d495b87c25277a9db12910d7d511cdd76ac34a42c3860647e03d37f6796b1b6c5fc2e05bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
6bf7da4140b75852c1b018d99043439d

SHA1
5786a96c4e0f96260105e788dbbd950bab60e8e4

SHA256
e6e9633637ea582c54286e8e10ad93173b5ad88bb9eb0e206a46f842c56fd11d

SHA512
0605b6eb284b40ea159440551b7168c345c03d99dea53214649005db2e386e431976f48f8430f79f50762d27feb9019e0fee8d119570835cf127b09bfafe0a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
858ae5757fe4787cafb229ff0ff4293c

SHA1
81e085c95f48771c78c6d4dd29a92ef5566c78fe

SHA256
5086153816175631256ec010984bc200b854fdcb9b6046a2d529be112428e195

SHA512
da5cce4e1639b704222f7461a91a9830d2ab60c3b6e7b996822de0f55ce947ef2f3270234b40d703f48729265677834feaf2f1f486e1de6dcd7da744123c49dc

Download Submit