c492195111dd428c770df99ad3d37da4a8ad71401c6e63c8335c1bbd26e1eb4d

Analysis

max time kernel
52s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Risk of Rain 2.exe
Size

635KB
MD5

f54b70c48326006a514f8522634c5b92
SHA1

83f57fdadf77674a23b041e89904bf7cb0ace079
SHA256

c492195111dd428c770df99ad3d37da4a8ad71401c6e63c8335c1bbd26e1eb4d
SHA512

38513a2ae3e7e03fc1d45cee8f70f95bb4a7614af0a3814ee3c864586987a28634dd0fea399a4776bd3644fd2a10dffcd4cdf117dc5f40ddb4d67ca6a32b8d79
SSDEEP

12288:G7qTUjTkxgQpQZyZpZXZLZqZKZqZqZqZqZqZqZqZqZqZqZqZqZqZqZqZqZqZqZqG:YqAktT

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641740979598863"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4176	3320	chrome.exe	85
PID 3320 wrote to memory of 4176	3320	chrome.exe	85
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 4192	3320	chrome.exe	86
PID 3320 wrote to memory of 3612	3320	chrome.exe	87
PID 3320 wrote to memory of 3612	3320	chrome.exe	87
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88
PID 3320 wrote to memory of 1620	3320	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\Risk of Rain 2.exe
"C:\Users\Admin\AppData\Local\Temp\Risk of Rain 2.exe"
1⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85138ab58,0x7ff85138ab68,0x7ff85138ab78
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:2
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4612 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4480 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3076 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4980 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4420 --field-trial-handle=1944,i,6321583141329995108,15555044884116675778,131072 /prefetch:1
  2⤵
  PID:1540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
810B

MD5
04ded51c968370f204c3c7b84b83c129

SHA1
8fcf8ce257e779108566cfbf2dc2cc4b08ec9195

SHA256
2d2c4d817da8d123e5c3ce89fc5d743299b62259bd3a286de01e173d971c7b21

SHA512
a9d1e197a0328c85f7da8c31eb45473d6620809f1e90761200434de041e89ade858615dc3bcd2578e3cc03d830d0a35f8c0761fad40b80e0bf3c7d853a3516c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
700d934c216d39ac1ddd2d7b20af0e7d

SHA1
2fbf62f6b408a3cd4f5e79a9d31b2d40bd5f9e37

SHA256
fffe5a8841d7e01b929bdee1378ff307eee2e3de35f60ec48a02484d6d76f62e

SHA512
18d295aef2d9ed9cd79c2435a3de247a0244acb69859879405cca6bf4b7dc4fe231518fe360f477614aa9131521ce01d76a74ce342fca3d2a83da1fcd21b8c5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
282790eaad49ad2dd79a0c0a436cb382

SHA1
a5f9e169a2443619a78e580aa5ca86a35200237d

SHA256
3afdf40a859ceb30cb77360c617c6cdde4994605d25cb4e1770ed1efa9d55dfe

SHA512
b1b948468db898d6f37835d51eb98247e95e03e5d990e5251ad5f5d30408b53dfd1a6bdcae6fc60b72c0b83e9537b593d9078bbf55e6d2c86947817f4de113e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
bbeffe492419db0180bec70038216fd8

SHA1
3bb28a1c4b568d33fd1f4e9da9871dec899b8ffd

SHA256
973b88ea6dd49274ee3ca791f097df235a43fe9402808db406e76610c0dec84f

SHA512
03051284dd7c540de2500d9a0582d7eb9db80d58741a8062e81498d2ac9ae5822caf5497f2b8d8f81afb2931e6ac27eea77c3f34f11f845f3682998a3c64b00e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
57a30c010f0f31876c7c7398257d53dc

SHA1
d25ceb640a5105547707bb53a11d7e9141d976aa

SHA256
6b173a4f2376237526d4e0ffc3f20f51039db1c191a51a6ffa0e453904f2619e

SHA512
babbbbf71a16b72cc202ade9ec2fac51ec099f5803f52c62b91b6d9f450dce31e678a68072f0d99b2fba739fe95046cb604dbbb6baa73e14a2b6b3bcb7a31711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
19c5d3522b5d5f0afda79c7301c4b6fb

SHA1
63606ef25500d3db57e4d19325d6dc66bd1a73aa

SHA256
142d8b22b1afdd98f1558499196f6cd4a7c52a2bc727137eeb30e4d2485b083b

SHA512
dbbe9a0e258a5ce60627e5ab724f427014eec0da9818a19b75528daf0dd056bdc765c49db31b52e9d95bd96101027dba6b64ef0a7eab06373f4f69d2fc525dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit