hxxps://p20[.]zdusercontent[.]com/attachment/24126/FtnWKCSX8kjXDDQt3c6iSmrDm?

Resubmissions

08/07/2024, 09:40

240708-lnmnbatapr 1

08/07/2024, 09:37

240708-llvk5stajj 1

Analysis

max time kernel
117s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://p20.zdusercontent.com/attachment/24126/FtnWKCSX8kjXDDQt3c6iSmrDm?

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649053707316094"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1168	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	chrome.exe
2448	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2448	chrome.exe
2448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe
Token: SeShutdownPrivilege	2448	chrome.exe
Token: SeCreatePagefilePrivilege	2448	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe
2448	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe
4540	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 224	2448	chrome.exe	83
PID 2448 wrote to memory of 224	2448	chrome.exe	83
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 2568	2448	chrome.exe	85
PID 2448 wrote to memory of 3868	2448	chrome.exe	86
PID 2448 wrote to memory of 3868	2448	chrome.exe	86
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87
PID 2448 wrote to memory of 2984	2448	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://p20.zdusercontent.com/attachment/24126/FtnWKCSX8kjXDDQt3c6iSmrDm?
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc63f4ab58,0x7ffc63f4ab68,0x7ffc63f4ab78
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1912,i,7606167989496029990,8278297976886867166,131072 /prefetch:8
  2⤵
  PID:3112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4540
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\PaymentAdvice92872.html
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b2dc363781bd3be113dccaa4e3a5a46f

SHA1
a2445e379d2dcd155721961cf1d1afb158d44991

SHA256
2113cf1c583322879cd35fca18f7241a2da727d8d91ca8fe7b0ba8d59e730f66

SHA512
c23b6fcac08fd356e554de5d6a8e8ef9c637490f5e6165a14ce6072837d0b76b987c7264e895f77f1d3d10833f38fbfce48dc75f9d0a2b0f80a55541cadc16f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
45cf92bf655e8170a2fa93c2a305131c

SHA1
93b8e7aaa0dab6a64944eb099284a7d3403b7585

SHA256
243ebf62305a4b83030b9bde36c85835f6d637d89768641d96ad866ba0ef8d3c

SHA512
c5464c98bc4a143dad8141d4a7c77b64740e89fd29dcba3f201c9ce9d0680b548dc0e2b850d69bac85c18d8056f8b747776352592d8d2e93ead48caa65b3af19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
f3d90d0629ae9cb8fe7589035b464bbe

SHA1
3a2864f98917aa0bb833d554275828e0bc385ee6

SHA256
ca5483a459364d702fc499e52e521043a82ad39279a1aad7a1998eaf40e9fa08

SHA512
f411369ec16cc4037f23de618d125f809925394ec89d9d9c1c824f25072866a547134c1e6217806c7292d6bbd9de385ae9ad901cb335553f0e7b773f202850ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e6b169ade172725a96c3b7c1626860bf

SHA1
25b45363e86eceb6802748d088645e5ab896ea2a

SHA256
d1259eca1ca82a22456b8e75db9178fa0e93248420ed3c163b9ed601b34587de

SHA512
523a25a0a293d2ecf6bacef213f55d451bd853dd5d2e2be3f2e85b6945a682deb168108ada9935a520b1788d8847d593237d6dd9f51f8d0825b327e07c8e8271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
2a06db6ad563a7bb2a56834109f0ac1f

SHA1
3502cb550caee64f669797744c677e8781063b9a

SHA256
3aca295a7e50353a3d495fd211c81f4c47ed0f887d8e393080d00a9badf770a0

SHA512
0be2326b6e7bae2baa37f4b895eee12cffb2e68fd58e1b26ee7d3a9c4c3d1e279a047f1c803f53f692fa51e9c55cc9fe6f8a65ad73dac3ac9b8c5b8c2ee08f5d

Download Submit
C:\Users\Admin\Downloads\PaymentAdvice92872.html

Filesize
13KB

MD5
c63f7ee42bbd092231e80bc4195fb3d1

SHA1
769e185b34ad08b221fbdb52578d59c3702e1b99

SHA256
ab1adea98b56c7eda6b633a502a78af9a5c91e0385773983bde3d3738449800e

SHA512
b4fc57deb68fde510b3833283e37e6fce02d5ce79074aaefaf927202dcabb40f4770fbdf006d437e62fab781f53e498e6cf32bff5c80a2529945baaa7b1b2fb2

Download Submit