Analysis Overview
SHA256
7a5df9d2619482c2b1ae44d7099f3c184723cd06a78c45261eefd4fd5d6a175f
Threat Level: Known bad
The file PowerCheat free.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 14:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 14:33
Reported
2024-06-18 14:35
Platform
win10v2004-20240508-en
Max time kernel
96s
Max time network
103s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631948562806851" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe
"C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86a95ab58,0x7ff86a95ab68,0x7ff86a95ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff7c86dae48,0x7ff7c86dae58,0x7ff7c86dae68
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4232 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5020 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3224 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4000 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4312 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3124 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
Files
memory/3452-0-0x00007FF85B423000-0x00007FF85B425000-memory.dmp
memory/3452-1-0x00000294EDA90000-0x00000294EE1E0000-memory.dmp
memory/3452-3-0x00000294EE5A0000-0x00000294EE5BA000-memory.dmp
memory/3452-2-0x00000294EE5D0000-0x00000294EE622000-memory.dmp
memory/3452-4-0x00000294EFE90000-0x00000294EFEA2000-memory.dmp
memory/3452-6-0x00000294F0C70000-0x00000294F0E84000-memory.dmp
memory/3452-5-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/3452-7-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/3452-8-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/3452-9-0x00007FF85B423000-0x00007FF85B425000-memory.dmp
memory/3452-10-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/3452-11-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/3452-13-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\eaa93b29-9489-4b1d-91ff-a46ddde92820.tmp
| MD5 | 8559aaf36b4ac31e055c1fba41314dfc |
| SHA1 | 417bc9bdbbaf71a392a1947d44cc3c98d8a345db |
| SHA256 | 78409f4aa1c69c1215f9581125344e91608af0ec9900abcf6a533bd3a0a6ade7 |
| SHA512 | 92f8ad27210da679967964b784bbf1e6485f8a9bb51807d3c353622af5d6b76aba6ee26fe6e17d99bc411ce5b7b0869c21df3b85f673e045d0fa9d206585cb15 |
\??\pipe\crashpad_2972_VDOCSDJSSLQJLTQG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f4d6d93e5428d0cbdfa74bbcbef80104 |
| SHA1 | 1372458400e250525b4a5b712e17ab212199288c |
| SHA256 | 735d88b1654ddd83cc1736e0c39ad1fc47d29d01eef0c7bd4dc8fcb0ebd14afa |
| SHA512 | 227a35c1b4753e1dbd8cc38fd0def3b7c3b2f0e8988d9e2ada5715dd27a70191016bec7c8af4bcf68b2ed4bcc65ccc76ef8213faacacb9c890d8fa8b595511f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e66d52d0e6338cd73118a080f587d763 |
| SHA1 | 735c9bdd201001dfc458d4675d086f168576016d |
| SHA256 | 9db84a2cffea19ee7f488c82be3cfedc90f6739546d74b9275e653f0746faf77 |
| SHA512 | fd863230d4293f4664837ed69a829aa2e10d4bfd3f6ce2e79ed26396d709681876def2fc710d4faf4caff985b6cef21aab241145ae7b582a058e4823386007e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b041af84241cf69a33f86ef7bb0eaccf |
| SHA1 | 83fd7868e36724c23ddf43b9989b3a773d575684 |
| SHA256 | 0d7885491bb6bcee52b5e5d02153f950476e81c02d6a98d7dd4cd763171a288c |
| SHA512 | 7046d859d5f9bb0d428f4900909f4fa6ddffce33004da0a329ea10c8ba4ff2f809275fbf8df53b5baee8f71365e85bba1dee7f81b536b3a0f1b966b00b8d9f4d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | eb0f4e22861f0cf33d9295c54da8c84d |
| SHA1 | 383f393d91c244a8013b6cef43efe4450b13a67e |
| SHA256 | a730fdb7f95671d820ca8097fc0292ab024bb4ebc8211a77ba6989475546176c |
| SHA512 | 55ebd0e82df4b43d2d487033c98d92da9c9fad57c0f22aea56d8e902a399238fc352fe975c7908e9bde1433dacf7496d307cbb84096249bb8f617066e2d5cd8e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584273.TMP
| MD5 | dc8842964af1824c3bb4e5847f626c18 |
| SHA1 | 522c8e0c235a4487b1c08e84bf28d7b39381e92a |
| SHA256 | 2cfca7d4459c26c67cb9f33308b8e02a9378ea3204470727cb74f50ee6d32334 |
| SHA512 | 7369878b5c7a685ff3fe1c8ca290e5b3f95be22a39ecf26cff67afd1ad6bae0844868b0293e41ba3adf5bd65097d1cf38dba456f01d66e39c618c8691f0b8633 |
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240618143416.pma
| MD5 | 6d971ce11af4a6a93a4311841da1a178 |
| SHA1 | cbfdbc9b184f340cbad764abc4d8a31b9c250176 |
| SHA256 | 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783 |
| SHA512 | c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a8c01181-f7a4-45f1-be44-d183b926233c.tmp
| MD5 | 0939d50d80e668fd5be9115bf70192c6 |
| SHA1 | 98f8bc942386247549e93959f0e702fa8543d77b |
| SHA256 | 7dc0a4992c237151ecd34a4d1ea65557e5554619a08a35ff4426addee9ade79d |
| SHA512 | 81836d3c16c771701b39fcdfca36ba9c3b9c3d953bea895aad77f786dc2c17d049f6d4b22d55ea5a259d83500239670ea8ddbbdeac632da95f37ece3ce20e96b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3cfa6c9a8ffc475a1d73111ec2c32296 |
| SHA1 | a0c57088c732cc3e1938851728fff136699981a6 |
| SHA256 | d27481cd9aa0497a8d6eee256d10f678f63967585d113e6311476b2827b09e1b |
| SHA512 | 5dd4f110b7b74a24cebe95b04f3280c8601c1cf574eabf3ede35aaa47384410e23bab9505887acef01807845b24f49c41141ad01dd114152a66e1e2a95f69f1a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3efeb4c0215c038f523f307e1372b514 |
| SHA1 | b1837bc871d92c1ce6199ae883c31c691561905f |
| SHA256 | 8a860a0925ae208f20ba279244d7bfe560e1101fbfd2dbb3357c0198ad38e12f |
| SHA512 | 4ab889a590019fd75f15dbc437e142d738b38cf1dd1b53ddb5858c579044962ed427bfe324f9522fc1e6c7238cce99b562876f0256eb6aa87d2e240a48722c24 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 8077fb5832709a3f275efc3e2f7bb26a |
| SHA1 | ab7207e0f81124b0fb2715c841665c03e0bac410 |
| SHA256 | d880c9e94120ef8cd897b6aad62bbe44ec64c70124fb41fd95dd449106775992 |
| SHA512 | ba7c59a9a150ff03c6d02a83b34e9a5d2e779da656cc8ce34fabb4129d895575a130832c2453b700a3a34e6ff06db46dc95a7a783d482f09d208d064fa04a7b0 |