hxxps://wdl1[.]pcfg[.]cache[.]wpscdn[.]com/wps/download[.]html?autodownload=false&channel=600[.]1021&wid=cid-674249709[.]1718380854

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wdl1.pcfg.cache.wpscdn.com/wps/download.html?autodownload=false&channel=600.1021&wid=cid-674249709.1718380854

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649699860092948"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
884	chrome.exe
884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 3068	884	chrome.exe	82
PID 884 wrote to memory of 3068	884	chrome.exe	82
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 2852	884	chrome.exe	84
PID 884 wrote to memory of 888	884	chrome.exe	85
PID 884 wrote to memory of 888	884	chrome.exe	85
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86
PID 884 wrote to memory of 3120	884	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://wdl1.pcfg.cache.wpscdn.com/wps/download.html?autodownload=false&channel=600.1021&wid=cid-674249709.1718380854
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae097ab58,0x7ffae097ab68,0x7ffae097ab78
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 --field-trial-handle=1768,i,13656825122374171711,15611574260943575910,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
510019a446818fe3a0bace8f091c8cd5

SHA1
b5dd630bfd24c3830ee1a9b55de9ae83ffb11141

SHA256
1c6f02789561d2343f2862096610337e2ec65f647a9a3620cde617c36fcc1e8d

SHA512
e754e94f64cd233fa9a6c69fb1fe65ad38cef8e59745ed9f018adea5cc5260c3bcd1437b9b234f3f3c95b10ceda2e3395d6c0b2d29d62db74b6a8e8846a17967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
31755cea54a8c601bdae7e36012f670c

SHA1
0de0289a733927ef0875551272582c1a1ed4c23e

SHA256
df103bad544241da584396dd56a35b6a2b12efcbb2c63216a5440b2827bcc71d

SHA512
442b8e063cefeb0aaf6da56fc5fb6d0687722293990bddc0f6042428e0452044579db34dd89ed63f1330bcb76f426a6e6b3365a24f873cff3f6d9a7d72b6a515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
b4153086773b666b68149adc85ee3c13

SHA1
c88045115a572b6bde8a99517eee7d8ae1e62ef6

SHA256
31f8dcda8051bd9520cc4addbf3f2ea879bfebd2ccb18bf61038598e86a027f7

SHA512
2957973acd092346f9645d82a9b8e6c5f87bc5237d7cdf3b93b0696b0c0cf950f62133c0420540f739900f92a6071c881caed3640ef3add779ffe3682cf844da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2d5bd209b26ac4fca4b2a00027b00ba3

SHA1
652a6dff97f44bbfa1e3a5aaa3bca184900ebd0e

SHA256
a1b03f94946f9b45de6aceee7e79ee12c123009dac72bcf6d7e88fe1c2266070

SHA512
7e27026012f9f0a261256dad0897fefed7e09c93ae489327a33c869262c9af159e4f518320262e0b09c0a6752a0c2f9715d6829933ffbaf39d81ac40d8aac382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
66c7eb809524d105dbe55d3b5c56568b

SHA1
9e81861237755cbdfcefde571a0cc95e896fbebf

SHA256
3d5c666908d070799c3164613ec2f891f9c5eeea3e644c5b751bd0957eb863bb

SHA512
170fee57d8b2ccbcf40f8d410dc954788846498c72852a1c38696db9b602f1d635300761f3bbf809340391c6840fe297c2ba9759805a49b1aeacb740726cfef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
0db17c0e37c8e4837d12194200f8ed98

SHA1
e43d69766dffe3374de8a834da7988950073c137

SHA256
14bb152f0b75a3535f0ce3283919741cf6c7fe5c7eae9d24cc2044e69947e749

SHA512
4e9712bfb9019ae40f4ce1ff0b5e814000c027c8e088e8a094b6eebc57a7b9ab4624db750fa3b8568a1fafe69c394822f85aa1c2cb8e7625c5aa0440f6b8efdf

Download Submit