hxxps://communications[.]sketch[.]com/e3t/Ctc/LY+113/cWT0Y04/VWMrC73SWSWDW1JWR421LgBh_W2K0rfL5hHQCrN1f4_WP3crJ2W50kgx26lZ3nJW8Qhs_892-v6yW66lGL785Y6-QW22kG-x47ryFMW6qVSkd949dG6W33B-Vf2QhlnxW8B1J462ggMY_W6DRWsb7bfC24W8bszS-6sDTn4Vn3kWK3mJs5RVsRwXf2lD7csW7-VYjf3qfCn-W47LS9Z5Jz8BxW7sK8Gt1Sy8TMW8PLp_C8w94JdW1-HHkT4SzVg3N73DTP3hRry1f9h144W04

Analysis

max time kernel
19s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://communications.sketch.com/e3t/Ctc/LY+113/cWT0Y04/VWMrC73SWSWDW1JWR421LgBh_W2K0rfL5hHQCrN1f4_WP3crJ2W50kgx26lZ3nJW8Qhs_892-v6yW66lGL785Y6-QW22kG-x47ryFMW6qVSkd949dG6W33B-Vf2QhlnxW8B1J462ggMY_W6DRWsb7bfC24W8bszS-6sDTn4Vn3kWK3mJs5RVsRwXf2lD7csW7-VYjf3qfCn-W47LS9Z5Jz8BxW7sK8Gt1Sy8TMW8PLp_C8w94JdW1-HHkT4SzVg3N73DTP3hRry1f9h144W04

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2228	chrome.exe
2228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2228	chrome.exe
2228	chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: 33	3104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3104	AUDIODG.EXE
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4688	2228	chrome.exe	84
PID 2228 wrote to memory of 4688	2228	chrome.exe	84
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4812	2228	chrome.exe	85
PID 2228 wrote to memory of 4736	2228	chrome.exe	86
PID 2228 wrote to memory of 4736	2228	chrome.exe	86
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87
PID 2228 wrote to memory of 4024	2228	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://communications.sketch.com/e3t/Ctc/LY+113/cWT0Y04/VWMrC73SWSWDW1JWR421LgBh_W2K0rfL5hHQCrN1f4_WP3crJ2W50kgx26lZ3nJW8Qhs_892-v6yW66lGL785Y6-QW22kG-x47ryFMW6qVSkd949dG6W33B-Vf2QhlnxW8B1J462ggMY_W6DRWsb7bfC24W8bszS-6sDTn4Vn3kWK3mJs5RVsRwXf2lD7csW7-VYjf3qfCn-W47LS9Z5Jz8BxW7sK8Gt1Sy8TMW8PLp_C8w94JdW1-HHkT4SzVg3N73DTP3hRry1f9h144W04
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xf8,0xd4,0x7ffc3657cc40,0x7ffc3657cc4c,0x7ffc3657cc58
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,18167271796005265567,18231840199610874907,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,18167271796005265567,18231840199610874907,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,18167271796005265567,18231840199610874907,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,18167271796005265567,18231840199610874907,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,18167271796005265567,18231840199610874907,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4332,i,18167271796005265567,18231840199610874907,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3836 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,18167271796005265567,18231840199610874907,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:1644

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
338KB

MD5
aea3320c9b5d1492e11abc2e1390a31a

SHA1
017fc0bed9a35fe7ae6155f23685c50d7b1ab5ef

SHA256
dab36beebdc185b0e886b44bafb388c9de0065d83cf25aaf1ca5bb6392f5d939

SHA512
4eb22fd64c57d27f36cdf21a26043995edccba253f6356192221cbb1e70dbdfc76ec333854334ad02d860efdf471fca7c7348c5ebf32c1a988f6cfa35fc8fc6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dd18c69604ad517e0aca20e51a29b543

SHA1
c94b6fb139149449eca12112895802e198e19df3

SHA256
f2d4fd57d64393751a3b002c80f09f66e9b97f11281b65ec2f14fbf8fa9f66fe

SHA512
6a78ab30e2b47359e943db2ee66b8a08e4801063648c06752bc2579d341897cb85f63c0c43203663ea5ca3bd11ce0ea4240a98e9507dd4c0d3e65ffdf25d955d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4fb9272071694f7e4d79d134504323b

SHA1
7db3f56715e5637b5f4e7f0d87ed53f7346c6fda

SHA256
d46c84adb680fa6aee8451986595fa94ea4bb51d4aec557c39ebc5ef1a7de8b2

SHA512
78e8874f2a6cd6d8c57af3f8807d442c2944e230ec0f3785fa57dbfd558656bd6cdb4f869663c04db953672ef52c50fc839223a8ab0cdec2846781e38d0dc0e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
0fcfc8520c5b32c9612913318eb399f4

SHA1
b957fa414bc09532727003a91be8b06c708976e7

SHA256
a72acc57b31ca4a234bfcf64b1f032a5b8e0e5701229bc908dcc5f45ab2091c1

SHA512
c5b8df5ab20e9b5bea59cfd8a902dc4c9e7b3a00fb256a028b757cdf4fcc9f0002b91b9b55db72c2687c5782b3c787bce2964760eac7efee8d5107a30498c7ef

Download Submit