Analysis

  • max time kernel
    1799s
  • max time network
    1751s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 06:51

General

  • Target

    $PLUGINSDIR/WinShell.dll

  • Size

    3KB

  • MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

  • SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

  • SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

  • SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1
      2⤵
        PID:5096
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 612
          3⤵
          • Program crash
          PID:3524
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5096 -ip 5096
      1⤵
        PID:4296
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8411bab58,0x7ff8411bab68,0x7ff8411bab78
          2⤵
            PID:4516
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:2
            2⤵
              PID:3408
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:8
              2⤵
                PID:1508
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:8
                2⤵
                  PID:3596
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                  2⤵
                    PID:4660
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                    2⤵
                      PID:4892
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                      2⤵
                        PID:1376
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:8
                        2⤵
                          PID:4300
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:8
                          2⤵
                            PID:3960
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
                            2⤵
                              PID:2240
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6531aae48,0x7ff6531aae58,0x7ff6531aae68
                                3⤵
                                  PID:3316
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4228 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                2⤵
                                  PID:3536
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4480 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                  2⤵
                                    PID:2244
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4568 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                    2⤵
                                      PID:4612
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4940 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                      2⤵
                                        PID:4656
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4852 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                        2⤵
                                          PID:2464
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5172 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                          2⤵
                                            PID:4736
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3416 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                            2⤵
                                              PID:5048
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:8
                                              2⤵
                                                PID:3984
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:8
                                                2⤵
                                                  PID:2136
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:8
                                                  2⤵
                                                    PID:2052
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5228 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                                    2⤵
                                                      PID:1740
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5708 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                                      2⤵
                                                        PID:4568
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4640 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                                        2⤵
                                                          PID:3760
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5728 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:2
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:1200
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5772 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                                          2⤵
                                                            PID:1480
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3116 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                                            2⤵
                                                              PID:1384
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5536 --field-trial-handle=1704,i,5429871066771971700,7160891578930327538,131072 /prefetch:1
                                                              2⤵
                                                                PID:5004
                                                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                              1⤵
                                                                PID:892

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Program Files\Google\Chrome\Application\SetupMetrics\20240619065749.pma

                                                                Filesize

                                                                488B

                                                                MD5

                                                                6d971ce11af4a6a93a4311841da1a178

                                                                SHA1

                                                                cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                                                SHA256

                                                                338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                                                SHA512

                                                                c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                a0effe526d809b186e7cc5de0f1aa79c

                                                                SHA1

                                                                7a11855faf748eff2e97a07fabac30f16d435160

                                                                SHA256

                                                                76b82eeabec4778732c7b2d68b08671cf30c94af5370f370ed8952bcac126789

                                                                SHA512

                                                                325d18375c345432724dd631d87db698a580c917f4dcc2e21181e2452b70eda7f46d475c89c5e228511807ece456143d8b54ba47126b80d80ce3fe0f303393ba

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                9a2f5d6a9756c0142e335bef318299da

                                                                SHA1

                                                                1734e3ad0ba8487ad6666dd4176fc7ba8a95abec

                                                                SHA256

                                                                a4e69c8767f2b2634a17a87dfaaef437a6ae4f5ce3cdedf778af107a996b526f

                                                                SHA512

                                                                2d24ca0f29d21198277d44f7cacb77ace12886a1ce4089f5c4f412803fa748b40a972dcc07604027ebee303a66db244a50404685fde768ef367c168e90fab9f8

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                Filesize

                                                                257KB

                                                                MD5

                                                                91a1d6f4bd2dc46e77596340c4324a64

                                                                SHA1

                                                                234bbf65d47bedf35a9529c71c2354beef27ff61

                                                                SHA256

                                                                bbfc423eeba230bfe31bbb22284151843bdbdeb2b3319b902dda1b74e8a500ec

                                                                SHA512

                                                                848bf0a50dccf8532541a1f807ff4f46dc581c7630b9ce1dc65851cbea7efd015e93e50a33bf9a8a2a092122808b7bd2871da6d689d7bc8a6bf7ef1f7e22afb1

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                Filesize

                                                                257KB

                                                                MD5

                                                                addcb3e06ae19a60a9177ab4ae943aaa

                                                                SHA1

                                                                20bc05c2a24af6f22e395439ca7530d2e6b067b3

                                                                SHA256

                                                                42c877ce14761330ed822885e8d6faf7558fc904131fc17a4ddd1389d6743627

                                                                SHA512

                                                                0434d8431c162f22ed1ff045b79906e3777f03093e95cf0ce919d10a5df8a87d41288de0cf23e988c047b80ec27708c3f7f44bb6d9043a5233bad99e083637af

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                Filesize

                                                                91KB

                                                                MD5

                                                                c1400241cecfe1077e87086f59c48bd9

                                                                SHA1

                                                                06681f91a15a6b3486e317c6ec52c4d5fd270113

                                                                SHA256

                                                                6edaa01e945907a7112db38f065d67a8ce4cb8186a9a5b7f8be799614d6ab32a

                                                                SHA512

                                                                2bc6cabadf40e795478cb4e99289719f752d4ac5ea7f003bcc46934c88389aca2150c2695f959d1fea86879c41ff7ce59f17506dabe045b598cd522a12d72608

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58e78c.TMP

                                                                Filesize

                                                                88KB

                                                                MD5

                                                                0f331257f708b75f8ccbd911a2528668

                                                                SHA1

                                                                c6665add59098adff9bb2a243a9dd51ddd18f7ac

                                                                SHA256

                                                                6f1a7ae5ae7bc0044be5eaa95539780b50aa88ad7b0fab34812d3bc47d55587c

                                                                SHA512

                                                                124b6176f09d9942fa81cb5bfa0c65fbaf52a99cd519fc690a4545f5f1b32d8c27b7faf261a7a32555d3ff8de32b93b0f2dae7d069c5e9e927fd5d47f8c47470

                                                              • \??\pipe\crashpad_2860_CKPECPREIAXBQRYL

                                                                MD5

                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                SHA1

                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                SHA256

                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                SHA512

                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e