hxxps://drive[.]google[.]com/file/d/1SIEU_ZFSwqE4lyX6nCAk4Ve2VYyRawgi/view?pli=1

Analysis

max time kernel
13s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1SIEU_ZFSwqE4lyX6nCAk4Ve2VYyRawgi/view?pli=1

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com
94	drive.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "193"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133658538574754118"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: 33	3580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3580	AUDIODG.EXE
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe
Token: SeShutdownPrivilege	1672	chrome.exe
Token: SeCreatePagefilePrivilege	1672	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5524	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4904	1672	chrome.exe	85
PID 1672 wrote to memory of 4904	1672	chrome.exe	85
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 3952	1672	chrome.exe	86
PID 1672 wrote to memory of 2548	1672	chrome.exe	87
PID 1672 wrote to memory of 2548	1672	chrome.exe	87
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88
PID 1672 wrote to memory of 4184	1672	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1SIEU_ZFSwqE4lyX6nCAk4Ve2VYyRawgi/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0d6acc40,0x7ffe0d6acc4c,0x7ffe0d6acc58
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1812,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1908 /prefetch:3
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3680,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4980,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4352 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4748,i,2538820774303534345,16305277804649237302,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:5100

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396b855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f678e877d3992e9f08098af49d06d210

SHA1
500ed818bf227e3c13066a083f426c4f2e40f689

SHA256
2a104f566503ae379bcc1927832d13ee43296cc9a26fc84692a748dc4fcc48b4

SHA512
fa2f87977804db4cc84a37c223168bc9b799bb7f2ad920d5c8e4878a6aadd39b6f0946260bba83aad74c877676e038463a2e1a5556fc99ee6a5da2e7a7d9d63c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a072605eebc144507b9512602f5d951

SHA1
fea44167dfa7281c103f1a890e4a7f3d8161cf6f

SHA256
c4ca340d51017beaa8b031310d0db11c2987a71e7302fc0787f119bf7ed85c8d

SHA512
ac3fc9b0df32d68a705ef85b065ee5b3fe98786a2ca2efe7b3b90fdd98b601b7e9f3aa357917bd93450e5014bc3f678f029f2ac28522cc0d27eece0b370469c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
90B

MD5
e27be7852bd2419f1bf32a34a1dd3787

SHA1
4183f695e225b322cded5e11795022ea9098ce18

SHA256
45d35c262c222f03c368d3d93ddbe4fd9dede1544ab2e3a50940427472767004

SHA512
ec672fe201dae616c6816a20a41baf34a879939f87f965296e7494e29421ec08618eae20936da7d3fee12a47e8901da15eff0c098b1d2484bddd4f082f50c35e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57d1c7.TMP

Filesize
154B

MD5
9c1d7d020cb2ba9a824447dbd5915bc7

SHA1
ab63ff70e0f551ac75eaa743744dde91043faefa

SHA256
e58ae76c07c860173d5ebb4b47f97985db834cae1a4a7b85420dd4242ff8b394

SHA512
8d0779dabe6eb4e30e36f82e0c49bcd8342e22d7a2cc5373a16343d4cd4954cd18efb360e4813c97dd29fd82c157520d7cc2d808b2562476df85d818668c9411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
202c7ce98c8e19624b7ea4aa18aa624c

SHA1
1b9b536edda9a103081a6be3fbfde5773dd0266b

SHA256
f40af54548657d2b60a486f4471b8f7b6f43c95fd0b51c83ca911d3a7712bfb7

SHA512
98191c727bf1ce8de5d881a2eccc763a87fb5951a1ecd34ca71b4167a71dffa2b699d27743604d4bb52028c593aa268e74bc18dceebd8e7aa232615d675a9fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
c0594538af0aafc21bffc1e8d9e2db4d

SHA1
5cd5e2e1e5399b683d094d58793f488872f858c8

SHA256
bcb83e53ed1d0908cd937aa0bba7bf534b439ec4bae996f3d223c2f198d304d1

SHA512
0aa1026fc652c78406c9500a035300f76999b289d937c6dd0fa2ba98db16ee0391fd843fd2fd9de1459f058fad6da28a88b2344621ec6e2c72a4558c07cf8371

Download Submit