5882efa487c7d56ac32394411cb6b519cd2ed3987679be06717f5622a0d7dc97

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOL SKIN.lnk
Size

774B
MD5

08256ba7e58bff130c99f1e29729f00a
SHA1

d8ae5c9be860976634a06915fdafb5fa6620f488
SHA256

5882efa487c7d56ac32394411cb6b519cd2ed3987679be06717f5622a0d7dc97
SHA512

e511f249ad1fae177564e776037c1f9bf5bed22c7b8b8cf3b1300c21608b0f19d206499047e2c45385d95b8d24acf13d5a26ac1b5eabaa39a837ba451559ffd3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642327258900882"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4864	chrome.exe
4864	chrome.exe
3552	chrome.exe
3552	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4388	4864	chrome.exe	92
PID 4864 wrote to memory of 4388	4864	chrome.exe	92
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 3308	4864	chrome.exe	93
PID 4864 wrote to memory of 1492	4864	chrome.exe	94
PID 4864 wrote to memory of 1492	4864	chrome.exe	94
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95
PID 4864 wrote to memory of 5040	4864	chrome.exe	95

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LOL SKIN.lnk"
1⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdb284ab58,0x7ffdb284ab68,0x7ffdb284ab78
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:2
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2312 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3620 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1228 --field-trial-handle=2008,i,15765147418629145116,16627871310438920954,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a51753f4ad06043a57fc615779b97e8e

SHA1
66ea477da62119dbfc524009dc405723f50dd9cb

SHA256
975eb5600d85b2c76b31dae4fb2d588c280aafc2f3b8579e13286d252f3b5243

SHA512
eccd65d1891120a3a8f5044eca484dff560564839fa0554843dbb3dc20f336b52560b43a555bd85232cb8eceb9a356b492b2c3ae84e95e66e03b1d10c8970cb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2c180ec19ce3a4df1d9bbfe88d5cf980

SHA1
b2b35a87342b50425d03f36199eeaf3c8051cff9

SHA256
58930888362572c4c9175f39c19fa6eb4435473c640d71d0fd3af22f0c939992

SHA512
afd1375a59947cec7053d580836b455084442c314815bc908c083b74fb0259360628c6ce29f675319ba5dacad71125e019add95278e94e0352d07a4fbe711a80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a4801f0545bd32fc201ab972039bb0ae

SHA1
79a026a87d15e13093628b59d60958e396515b2a

SHA256
12c362c924e23ae4429e024b8e46274d00179e006e2cd6bd20cdd6ba55dfa3ac

SHA512
cb727cfa184456ff7f4fc7a6a8a20d05bc201deceda90f83756f72195ddf5ec21bbc6ff3be7d5c2f50d50e4d761dd2154f2b70f059dc21ef5afb619a69ed582d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a0f3465819124cc6596b79fb4411fe9f

SHA1
7a37b54634c93a072871217d281b3de27e3b69a3

SHA256
29fabaa444061f6d022fb1493a9989caa7608b9aa3342b80677b974d7c41d4ee

SHA512
0f4ef9a74a87cd42c36d59bd2a116a91b7f3f72df4ea27c5b019b10cc017724f0f1294f51ae21a16db1e427ec229d8ee893d6b4b9caee0ba42c9eb209ce50444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
c3b27fbc49fccd27825d6b4943a5c7ae

SHA1
71167eef2a9938fbfec13dab4daf05146eb52196

SHA256
51f187c7252f544bea25a8b7e44d3bb6e4ff550719e903a7892d6678c40c6ad6

SHA512
a3ea6ed1ce9a79e6801f913354bc63e4d00a0044e9b00ec87f5752ec7470e400d6b0c9e8e3416d67cb1a1ca3c980efb71065ad1580d3fc322ab237092bac8e5e

Download Submit