hxxps://cdn[.]discordapp[.]com/attachments/909617228276703244/1079566544197128192/overtake[.]webm?ex=66a05031&is=669efeb1&hm=d825f72edb06ac4c76851100b0b4e0790ff8c1d2696028e99d5f5e5b8ad6b23a&

Analysis

max time kernel
19s
max time network
18s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/07/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/909617228276703244/1079566544197128192/overtake.webm?ex=66a05031&is=669efeb1&hm=d825f72edb06ac4c76851100b0b4e0790ff8c1d2696028e99d5f5e5b8ad6b23a&

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662125087682634"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5036	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5036	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: 33	3700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3700	AUDIODG.EXE
Token: 33	5036	vlc.exe
Token: SeIncBasePriorityPrivilege	5036	vlc.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe
5036	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 4076	3900	chrome.exe	72
PID 3900 wrote to memory of 4076	3900	chrome.exe	72
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 1444	3900	chrome.exe	74
PID 3900 wrote to memory of 2804	3900	chrome.exe	75
PID 3900 wrote to memory of 2804	3900	chrome.exe	75
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76
PID 3900 wrote to memory of 2088	3900	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/909617228276703244/1079566544197128192/overtake.webm?ex=66a05031&is=669efeb1&hm=d825f72edb06ac4c76851100b0b4e0790ff8c1d2696028e99d5f5e5b8ad6b23a&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc8b519758,0x7ffc8b519768,0x7ffc8b519778
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:2
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1780,i,6733028109206968488,102315809506160346,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\overtake.webm"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2192

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
25f2f17b509e5d29fd265db6decf40e1

SHA1
c1da289be23078404bf15854095ca59b92cfddf6

SHA256
96bc2ed6ffd021495e5861399baaed2393cbd002b4339b259ed82e9d65151a1d

SHA512
8c01e35b5ee89fa4ccde7230134baa6f6e473d10fd62f85fc2268cac598e86b35de05ead4087ff8cf7f0de8ff94a81d8198706c9b4421ccc0b2e66251c789d39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
1f742536887577d44056970b74e1293c

SHA1
43c5e5ed1e578644e920f12ef4392d8e09ff3e51

SHA256
82aba3442e2060965909aa4aa129218401000ab78ba0a045d254a77fab979e3a

SHA512
e7e16cfc5ad55aefc3b7b3aba3830dffc28396d9bc8669c5f37d1d06eb0f5a55ed73c302dd0aa1eb08fb44431002fecef9dfdfe463e10504ddbebc04cc00a408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\overtake.webm.crdownload

Filesize
3.9MB

MD5
56c6040a0028702b0ed2f9961086b516

SHA1
6917bc5b0efc1add8f1254f1c83be2143e6b7368

SHA256
04a95e618528f6a68b180adcda9d4d35eafb15a9d6672ecffa4c3894a2866315

SHA512
58dcd88fec440f4d0fdceab8d3b87edf79a093af389f005ae4a84bd841ebe9001f3588814f1ce0b67719a91cce7b3d67c64ac124c1081f4203db8168210f27e1

Download Submit
memory/5036-64-0x00007FFC89520000-0x00007FFC89531000-memory.dmp

Filesize
68KB

Download
memory/5036-61-0x00007FFC89680000-0x00007FFC89697000-memory.dmp

Filesize
92KB

Download
memory/5036-63-0x00007FFC89610000-0x00007FFC89627000-memory.dmp

Filesize
92KB

Download
memory/5036-66-0x00007FFC894E0000-0x00007FFC894F1000-memory.dmp

Filesize
68KB

Download
memory/5036-59-0x00007FFC79880000-0x00007FFC79B36000-memory.dmp

Filesize
2.7MB

Download
memory/5036-65-0x00007FFC89500000-0x00007FFC8951D000-memory.dmp

Filesize
116KB

Download
memory/5036-67-0x00007FFC7E8B0000-0x00007FFC7EABB000-memory.dmp

Filesize
2.0MB

Download
memory/5036-57-0x00007FF7D1C50000-0x00007FF7D1D48000-memory.dmp

Filesize
992KB

Download
memory/5036-62-0x00007FFC89660000-0x00007FFC89671000-memory.dmp

Filesize
68KB

Download
memory/5036-58-0x00007FFC896D0000-0x00007FFC89704000-memory.dmp

Filesize
208KB

Download
memory/5036-60-0x00007FFC8A490000-0x00007FFC8A4A8000-memory.dmp

Filesize
96KB

Download
memory/5036-75-0x00007FFC88EE0000-0x00007FFC88EFB000-memory.dmp

Filesize
108KB

Download
memory/5036-74-0x00007FFC88F00000-0x00007FFC88F11000-memory.dmp

Filesize
68KB

Download
memory/5036-73-0x00007FFC88F20000-0x00007FFC88F31000-memory.dmp

Filesize
68KB

Download
memory/5036-72-0x00007FFC88F40000-0x00007FFC88F51000-memory.dmp

Filesize
68KB

Download
memory/5036-71-0x00007FFC88F60000-0x00007FFC88F78000-memory.dmp

Filesize
96KB

Download
memory/5036-70-0x00007FFC88F80000-0x00007FFC88FA1000-memory.dmp

Filesize
132KB

Download
memory/5036-69-0x00007FFC89120000-0x00007FFC89161000-memory.dmp

Filesize
260KB

Download
memory/5036-68-0x00007FFC787D0000-0x00007FFC79880000-memory.dmp

Filesize
16.7MB

Download