warzonerat | hxxps://gofile[.]io/d/ZUzteK

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/ZUzteK

Score

10^/10

warzonerat defense_evasion discovery evasion execution infostealer persistence privilege_escalation rat upx

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 557897.crdownload	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

396 powershell.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3660 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Test.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Test.exe

pid	process
396	powershell.exe

pid	process
3660	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Test.exe

Drops startup file 2 IoCs

Processes:

Test.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	Test.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	Test.exe

Executes dropped EXE 2 IoCs

Processes:

Test.exe2.exe

pid process

868 Test.exe
5096 2.exe

pid	process
868	Test.exe
5096	2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2.exe	upx
behavioral1/memory/5096-235-0x0000000000920000-0x000000000094D000-memory.dmp	upx
behavioral1/memory/5096-246-0x0000000000920000-0x000000000094D000-memory.dmp	upx
behavioral1/memory/5096-247-0x0000000000920000-0x000000000094D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Test.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DiscoverySrv (64bit) = "C:\\Users\\Admin\\Downloads\\Test.exe"	Test.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Test.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\jmBlsv. = "0"	Test.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

Test.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\jmBlsv. = "0"	Test.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execmd.exe2.exenetsh.exeTest.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Test.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662810172430882"	chrome.exe

NTFS ADS 2 IoCs

Processes:

Test.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	Test.exe
File opened for modification	C:\Users\Admin\Documents\Documents:ApplicationData	Test.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

chrome.exepowershell.exechrome.exe

pid process

816 chrome.exe
816 chrome.exe
396 powershell.exe
396 powershell.exe
396 powershell.exe
3824 chrome.exe
3824 chrome.exe
3824 chrome.exe
3824 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

816 chrome.exe
816 chrome.exe
816 chrome.exe
816 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Test.exe

pid process

868 Test.exe

pid	process
868	Test.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 816 wrote to memory of 2420	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 2420	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 3848	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 1924	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 1924	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe
PID 816 wrote to memory of 4748	816	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/ZUzteK
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6e88cc40,0x7ffd6e88cc4c,0x7ffd6e88cc58
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1988 /prefetch:2
2⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2036 /prefetch:3
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2424 /prefetch:8
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3152 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4008,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4496 /prefetch:1
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3464,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3488 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4888,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5112,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5128,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
PID:4592

C:\Users\Admin\Downloads\Test.exe
"C:\Users\Admin\Downloads\Test.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:1080

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5208,i,15266497711503493215,10761628284568265388,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3824

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2b58fe200715cd5473f631dd5e8c8686

SHA1
60806e8d2f05c7741d8bef5c166366f17bf713e4

SHA256
8701bd5a414fbb5f7dfd288d84cb9ce3e19351bfdcbb1956a1a310c2359fe67f

SHA512
49f09a394d67eb4525f73861b8118fde3fb94154442d3976106e0c3fdaa610ea2444891f7413d7b4d8c0a626b6347078b1a811b50e2a117487d04bff9fc79e47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
336B

MD5
317995475e61bef58f2490a0e4383995

SHA1
e0aae2252b521ec64f35b7b765875a3c77de8942

SHA256
17a2a388dab091876d22b2b93aee123f7255ed56dc7a0d568285c44e9fbd6547

SHA512
c448254febda086355f1e5f8ba4bda6f451ff99db927fa5e65facb3448691abd1a088e1658b0733d1078550cc3e6f91267c683ce6c3c75a0868ae355801bacf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c0deaeb98bc1e0d7ab11606691eaee79

SHA1
7499c1c994e4d1bc301e38abf5e907a4c03bdb0a

SHA256
7eb3afca4fb30042c5cc898fb4b26ea8db145a5121f2018c171cc5304cfb147f

SHA512
bdea7384af004f687ca4f36e7241e5521c5435cab256e51cf4e2414c64acbea225c873d19ab3cce2f0b4ae75d7dc022acd483bf1a125fcd6ce60495384caaf85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
f08991aaa41c723ffc2fe30d7a387d55

SHA1
dadd66f3fb355f094e702568ddc14efa70bc5ec2

SHA256
ef5d281aa07f8096f7849abd77fffd55a62873a5ec801d3cbdb4eb9bd9e9c1a0

SHA512
e6ba24ad536eb8892506081f80d50be8ee6fe3df8c1a0dbddf8774a465fe7b3804a2e43d7afa13ba6133d91e3692f52699e6c24f3e4fddcd8e968559c056a1cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1ef7d3c58bdd58f01ef1a95b7801a5a

SHA1
41fe82d61cd91055d151e97ebeecfd6081375b80

SHA256
d996b7e4192a9b51f1eb87997da7c70eb479c0129da615070bc0c41951cadb41

SHA512
de7971859ab22f7ab9aa6244f92c1e653417c1a700c2c71ea86a0b6537e97b54165efdacbcd1771dbb6123520ba8f7b03f0f1bd5afdf6ce1f8093c0975697956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3966dc1e25959d0148ee039e02765b1

SHA1
396f3149d341fffeb098f18c497b8957c09d82e0

SHA256
ffd2f8a37474db8e58cb381912fe415fd091bd75e44c85825aed5e8005c8447b

SHA512
0ab02a7d2de902bfb62d5c8f45755146c188ffafce8acf2cd8c56756b471fe26a4e3df2151da7ac70620253e34a64d0b877481757dc7f1ae71878288fef31bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7953e940217ac36b8ffc9a99a558c9c6

SHA1
3e20bc87123e2f4c0c91279e69b5b01b61337e77

SHA256
eb8532090e83aca6951c6726ed0b3c29b31fdcf5806124aac7ba677a65a4a266

SHA512
92353e2f7ebd06ad81b93b41a371e1aaa5a58d89abfa2d1ea3b5fc46c59374712aab79721506c1f3a192d7f526d4b3a0e1e38c7115ba44835fc46b4b6d994107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
835d3732712af3ec081caeb587452d33

SHA1
645cc7cdd56832538e0db932351a707ed31ecdde

SHA256
500562d037ebb352ec4201938ede04a40131a0eab5ef6300643ab654103015a9

SHA512
d031b64637f07b37d161f64fba145b7192cf7c1f642e0400a8a5e13f7e390f300730952e9a9cf75dfee28f90696b94564e870557fb9df17f9e08f1dabf81df6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e1dfe33dd630dc2e3a5b8669c698045

SHA1
d5e4701cfebb170c956ef0d6c7fd6b4caa17ef9f

SHA256
7700905e3eb5bbe0166530c7691f646d8f9e3b9627cb035838040e61e9885f9a

SHA512
6477dc23c6a85beb1d857e03c8573cbc308d2d6bc783696d06377a5898b27b726c3654d789ddca16a6f889aded365712ea9dcd5d0e10653f01094a49131a395d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a044a0bd062dd1fd37db9c54efb18ece

SHA1
b393af6dfc529bee97aeae1da898ff63ed9e9584

SHA256
b8fd3a327826a5a9876000f35583ad3a9e1c4b59a32fb3595f024930d0eb92db

SHA512
094e894c461e9c9623ad78510e54c8c7f8ecf1bf6685a5cf53d42284839e9c231f727425d733f3cf5f438b3ce9f821aa1358c0f912427382b6a0f26b2fc13bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f318bdeb5337df5122ba0884694d77b

SHA1
033b85f0597c4277344045bbf10b8516391bc2a7

SHA256
a85c141b3165f79812c65c467b03260d0b98f7842811ef442d12a1cbc48a68e6

SHA512
38e9be12ffff067c65efdc5ca399c4a2a8e70e64a615b172047f3eb37e8bd3f92f74448cf55c857151a55689cf265f83463e1bc87bf84cbe621fdf5e201f2857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
f0a39dc55aef65a804dd23afe9524e06

SHA1
d59e9b3294e9c0b04cf2c6e6f7a874a44c83dc78

SHA256
ae77762bf1d2f887c7da916840130735607c4e52da4ea11313652c132b5aaa0b

SHA512
64e127211bbf172c05e8152caafac4d23a6fe17f00a86343bf99bb269e8028350a84ac7ae663e6e9f8694694ddff60dfb1af254b19b76dae6d84714c217070c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
bb318b051885d0208602395a955b11d2

SHA1
4cd1c0f7b08bfb5aa139a9f36907a8ff789fa146

SHA256
e28ac64f3563261d3dba28effffb39d42483382133986ff4279eab30fa56ac93

SHA512
1e2d50e63d3c1e7c07a43c9128df3a2d4968a725065f84b2942c9baa78834b30e44c3de2d6a7577baf761e66084eee33b6fbebc9c5b46d441655af56fe643497

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_laxc1kyp.4bb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 557897.crdownload

Filesize
132KB

MD5
6f4e4259deddb4bca12f1b4515b5cada

SHA1
d132a7de37d85a9fd912df1af4e55334ebd5c929

SHA256
2d33bea4814e95dd5e2eec138c1bdb096efb0d377f24867e647e4fbc6f290419

SHA512
7e55438c34061fcf38c330f495c8a27edb012f90ac80f2dbc0b4072afed4f62f7dc39c012d60c1dde861cd32207c45094ab09a864a833c0d169f8ea038b45026

Download Submit
\??\pipe\crashpad_816_EHEXRSWCYLYNZAUV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-203-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/396-171-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/396-205-0x0000000007A90000-0x0000000007A9A000-memory.dmp

Filesize
40KB

Download
memory/396-174-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/396-206-0x0000000007CA0000-0x0000000007D36000-memory.dmp

Filesize
600KB

Download
memory/396-184-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/396-185-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/396-186-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/396-187-0x0000000006CD0000-0x0000000006D02000-memory.dmp

Filesize
200KB

Download
memory/396-188-0x000000006FB10000-0x000000006FB5C000-memory.dmp

Filesize
304KB

Download
memory/396-198-0x0000000006D10000-0x0000000006D2E000-memory.dmp

Filesize
120KB

Download
memory/396-207-0x0000000007C20000-0x0000000007C31000-memory.dmp

Filesize
68KB

Download
memory/396-169-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/396-204-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/396-173-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/396-172-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/396-202-0x00000000078F0000-0x0000000007993000-memory.dmp

Filesize
652KB

Download
memory/396-208-0x0000000007C50000-0x0000000007C5E000-memory.dmp

Filesize
56KB

Download
memory/396-209-0x0000000007C60000-0x0000000007C74000-memory.dmp

Filesize
80KB

Download
memory/396-210-0x0000000007D60000-0x0000000007D7A000-memory.dmp

Filesize
104KB

Download
memory/396-211-0x0000000007D40000-0x0000000007D48000-memory.dmp

Filesize
32KB

Download
memory/396-217-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/396-170-0x00000000057A0000-0x0000000005DC8000-memory.dmp

Filesize
6.2MB

Download
memory/396-168-0x0000000005130000-0x0000000005166000-memory.dmp

Filesize
216KB

Download
memory/396-167-0x000000007329E000-0x000000007329F000-memory.dmp

Filesize
4KB

Download
memory/1080-218-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/5096-235-0x0000000000920000-0x000000000094D000-memory.dmp

Filesize
180KB

Download
memory/5096-246-0x0000000000920000-0x000000000094D000-memory.dmp

Filesize
180KB

Download
memory/5096-247-0x0000000000920000-0x000000000094D000-memory.dmp

Filesize
180KB

Download