hxxps://drive[.]google[.]com/file/d/1SCIYYoZp4GrdUjhmHHN5pgdiwepE5UUx/view?usp=sharing

Analysis

max time kernel
264s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1SCIYYoZp4GrdUjhmHHN5pgdiwepE5UUx/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
10	drive.google.com
11	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663155331109980"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4796	4564	chrome.exe	84
PID 4564 wrote to memory of 4796	4564	chrome.exe	84
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 3336	4564	chrome.exe	85
PID 4564 wrote to memory of 4464	4564	chrome.exe	86
PID 4564 wrote to memory of 4464	4564	chrome.exe	86
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87
PID 4564 wrote to memory of 4972	4564	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1SCIYYoZp4GrdUjhmHHN5pgdiwepE5UUx/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xd4,0xdc,0x7ffb6a4acc40,0x7ffb6a4acc4c,0x7ffb6a4acc58
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3672,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5124,i,6475263843121764853,5226406629527234233,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:3284

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b539d2246516287afbc21bb2615a8176

SHA1
ce32ad0d257dbc25fa13df5d18df2c6bd08d7c1f

SHA256
79496c3546dccc5be27db7562daef383fe30ba662ce452e949304280e3b75e78

SHA512
f73bc8fa171bb79ecb13108eddb0f628584edeb27c0a5cde269b4a21648dda81450f485280ca313577d774a4ce92f8251aec0235dddab3781415c58ff7d1a6ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
abc061746403792be3c60f80a7e51bbd

SHA1
197f0a8889fa8d0fc6dd63bb05058b67ad910aee

SHA256
8eee29df901ab2fd2ddf54a198408efbd70a36dc9984ea14b17847d4dcb0f4b1

SHA512
bf0cab7e626785e3142e6413cdbf07b3461aa63bdc0b7fb316cf1315c80af6b34a4dc94ff91498bf8af5ddf2a2022c9e55d5f59921c156b2f807f1ee128e6ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
436edbd9996f051c180980f7afa8fd02

SHA1
3b0cc85215f3b15b974ec5e941e2f37e4304fb01

SHA256
5485d6a3b155a281f935aca2ae6f30928530e9958a00c90b8fbf89b40dd5a6d4

SHA512
fae781c9c9a9fd296e16d8672a5bf9bf0d815dcb2e2cc8706cd3c64a02328d35cb459acbc4b525766ac53941bee561e63c1c895a6578df7f68fc1e5d8c1c2ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1022B

MD5
aee3d6d1939bee54d69ca506a4201d73

SHA1
396a233b2726ebad3b3e1870c2b28322a1b1a6c7

SHA256
5c8ab30defe6c478128b2fc66555ed31d56ebbe1c6abab0442df0aa18b018ede

SHA512
d481e3e86d59e0ef6280a110755a4a19473070d6e1b0d5df8f1577592a2aa648b7829597a8acfce20b9d036008e5dc6f636cd470bbe7b11e2afcaf00360b6d21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b2d08d1b28d41732085542b5626d2d3

SHA1
977df6ddd54456393397cd894a51cb291ceaca96

SHA256
1047efb69337f81ea1f944c914f3fea9c52177e98a22a5672d4a99f1372d8eb7

SHA512
487dc96410b47bd15c084d88be058789424221dadc42ba909f8915e485331e8e05cd5c100f2df6f59b7d64ab85da879ea39d512502214118746a8d211009246d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0eb7732a95384aa9d31ad24f8a016304

SHA1
1fc0177aee7004905a8c754ede002097ffdac1f4

SHA256
1d71489ff02ea28c5da9dce8c0c368d3472cf89fb2fbee1d10bb504bf5d0a01d

SHA512
9d892af9ad336873b95091f647524bbb07875b5e0cf570272376e5b74d2f397db40c29897d693419a089358e8daca45a8efaf18168e3762dad77d0ec2b5c4462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
681050a0164cdd12272fcc1f227c3dda

SHA1
dd58fb51736b34f0b7cc64286b88716639bd7241

SHA256
f919215a1d6f22ff7b6e71f7fb49006b8cc7b9a8f59955cecb4a32e67fa6626e

SHA512
4e3e836f265fe9bac8d2a755344b5ae144e68fb2ad4d98bf5f35d5b2230d4ada743b8c0822fef7ebfc8e055a910c33d0f987f83478570da6def6455852446089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
d2a9c3846ea3f5cff0f1d491737982ca

SHA1
bac48e2aa994510b8839c4c754eb96d43f8124f6

SHA256
f2341564fe7f4c6ee3b42a85ed43f4565b79fa62fa0aeacccba8d237128ef9c6

SHA512
f2945f3c34fe2c60dfdff10361a9652ca5776621e948d56182d961508e67b64cb3f93465555a5ae67486bfd050d2689123438cd162857c73cbbec1f29d0f16c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit